Github user ted-ross commented on a diff in the pull request:
https://github.com/apache/qpid-dispatch/pull/43#discussion_r52058434
--- Diff: src/message.c ---
@@ -318,7 +318,7 @@ static int qd_check_and_advance(qd_buffer_t
**buffer,
int pre_consume = 1; // Count the already extracted tag
int consume = 0;
unsigned char tag = next_octet(&test_cursor, &test_buffer);
- if (!test_cursor) return 0;
+
--- End diff --
Taking away this test removes the protection it provided and means that
test_cursor may be referenced-as-null in the body of the following switch
statement. Here's a test case that I think may cause a problem with this
change: The body (from the tag forward) contains only E0 with no data
following. This is a malformed field, but it would cause next_octet to be
called with a null cursor.
A better solution would be to leave the test in place, but allow it to pass
only if the tag is a 4x-class tag (i.e. zero length).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
