Greetings,

I have observed that pn_data_grow() function looses half of the available data 
capacity.
The following happens: when data overflows, pn_data_grow is invoked. It 
increases
data capacity 2 times and reallocates nodes array. Data capacity is represented 
as
uint16_t type and so when capacity reaches 32768 items, the result of 
multiplication by 2
becomes 0. This makes realloc return null and crashes the program.

To alleviate the problem with large messages I changed the function as follows:

--- qpid-proton-0.9/proton-c/src/codec/codec.c  2015-03-31 12:07:22.000000000 
+0300
+++ qpid-proton-0.9.fix/proton-c/src/codec/codec.c      2015-05-26 
21:18:55.801632941 +0300
@@ -417,8 +417,21 @@ void pn_data_clear(pn_data_t *data)

 int pn_data_grow(pn_data_t *data)
 {
-  data->capacity = 2*(data->capacity ? data->capacity : 2);
-  data->nodes = (pni_node_t *) realloc(data->nodes, data->capacity * 
sizeof(pni_node_t));
+  size_t    s = data->capacity;
+
+  if (s < 0x7fff)
+     s = 2 * (s? s : 2);
+  else if (s < 0xffff - 1024)
+     s += 1024;
+  else if (s != 0xffff)
+     s = 0xffff;
+  else {
+     pn_logf("Data node %p overflow", data);
+     abort();
+  }
+
+  data->nodes = (pni_node_t *) realloc(data->nodes, s * sizeof(pni_node_t));
+  data->capacity = s;
   return 0;

This allows to use capacities in 0x8000 ... 0xffff range and is supposed to 
report
data overflow.

Best regards,
-- 
 \   / |                                   |
 (OvO) |  Mikhail Iwanow                   |
 (^^^) |                                   |
  \^/  |      E-mail:  iv...@logit-ag.de   |
  ^ ^  |                                   |

Reply via email to