Hello everybody, I noticed some strange behaviour of the routine 'BUF_MEM_grow': in some conditions, the buffer content is changed, precisely: null bytes are appended to the data. Let us denoting 'x' the value of x at the end of the function and "old x" its value at rooutine entry, and 'size' the requested buffer length; we have: "old max > size implies max = old max and length = size" even if size <= length, which in this case append "length - size" bytes to the buffer. This means that the length field is not reliable after resizing, which is error-prone when some routine have to use an externally provided BUF_MEM. I noticed this when I used BUF_MEM to store strings and wanted to append 2 strings into one BUF_MEM. I looked at some places in the source code of OpenSSL and noticed that the length is either saved (bio/bss_mem.c, mem_write) or ignored (PEM_read_bio,asn1_collate_primitive, ASN1_d2i_bio). That explains that the behaviour I describe has no undesirable effect on the currect release. So, I suggest to remove from BUF_MEM_grow the 2 assignements which cause trouble, which would give the attached patch. -- "A language is not a set of syntax rules. It is not just a set of semantics. It's the entire culture surrounding the language itself. So part of the cultural context in which you analyse a language includes all the personalities and people involved." -- Larry Wall (from "http://www.ddj.com/articles/1998/9802/9802a/9802a.htm")
--- buffer.c Wed Sep 12 14:54:24 2001 +++ buffer-new.c Wed Sep 12 15:14:58 2001 @@ -102,7 +102,6 @@ if (str->max >= len) { memset(&str->data[str->length],0,len-str->length); - str->length=len; return(len); } n=(len+3)/3*4; @@ -113,13 +112,13 @@ if (ret == NULL) { BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); - len=0; + /* don't touch the existing content */ + return 0; } else { - str->data=ret; - str->length=len; - str->max=n; + memset(&str->data[str->length],0,len-str->length); + str->data=ret; str->max=n; } return(len); }