Project

General

Profile

Actions

Bug #2742

closed

Assert wrongly triggered in buffer_copy_string_hex()

Added by Isibaar almost 5 years ago. Updated almost 5 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Upon updating from 1.4.39 to 1.4.40 I ran into a new bug: You have added a new force_assert() in 1.4.40, which I believe gets incorrectly triggered and exits lighttpd:

https://github.com/lighttpd/lighttpd1.4/blob/master/src/buffer.c#L475

The problem is not the assert itself but how the li_tohex() function is called from buffer_copy_string_hex() here:

https://github.com/lighttpd/lighttpd1.4/blob/master/src/buffer.c#L489

I think use of buffer_string_space() to compute the second argument is wrong. The buffer_string_space() function returns the still unused but already allocated memory of the buffer. But in the previous line 488 buffer_string_set_length() was used to "reserve" the space we need in the destination buffer already and the "reserved" space is marked as used. Therefore, the subsequent call to buffer_string_space() basically returns just the number of bytes allocated beyond the reserved space that's needed (so it actually returns just the amount of padding for the alignment). And this almost always will be less than 2*in_len and so trigger the assert in l.475.

I think buffer_string_length() should be used instead of the buffer_string_space() in l.489. This fixes the problem for me.

Actions #1

Updated by gstrauss almost 5 years ago

  • Status changed from New to Patch Pending

You're correct. Thanks Isibaar

Actions #2

Updated by gstrauss almost 5 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom