Greetings,
I have observed that pn_data_grow() function looses half of the available data
capacity.
The following happens: when data overflows, pn_data_grow is invoked. It
increases
data capacity 2 times and reallocates nodes array. Data capacity is represented
as
uint16_t type and so when capacity reaches 32768 items, the result of
multiplication by 2
becomes 0. This makes realloc return null and crashes the program.
To alleviate the problem with large messages I changed the function as follows:
--- qpid-proton-0.9/proton-c/src/codec/codec.c 2015-03-31 12:07:22.000000000
+0300
+++ qpid-proton-0.9.fix/proton-c/src/codec/codec.c 2015-05-26
21:18:55.801632941 +0300
@@ -417,8 +417,21 @@ void pn_data_clear(pn_data_t *data)
int pn_data_grow(pn_data_t *data)
{
- data->capacity = 2*(data->capacity ? data->capacity : 2);
- data->nodes = (pni_node_t *) realloc(data->nodes, data->capacity *
sizeof(pni_node_t));
+ size_t s = data->capacity;
+
+ if (s < 0x7fff)
+ s = 2 * (s? s : 2);
+ else if (s < 0xffff - 1024)
+ s += 1024;
+ else if (s != 0xffff)
+ s = 0xffff;
+ else {
+ pn_logf("Data node %p overflow", data);
+ abort();
+ }
+
+ data->nodes = (pni_node_t *) realloc(data->nodes, s * sizeof(pni_node_t));
+ data->capacity = s;
return 0;
This allows to use capacities in 0x8000 ... 0xffff range and is supposed to
report
data overflow.
Best regards,
--
\ / | |
(OvO) | Mikhail Iwanow |
(^^^) | |
\^/ | E-mail: iv...@logit-ag.de |
^ ^ | |
