Ticket #74 (closed defect: duplicate)

Opened 3 years ago

Last modified 2 years ago

[PATCH] Crash on line 157 of pj_initcache.c when insert cache grows

Reported by: jacobsen Owned by: warmerdam
Priority: major Milestone:
Component: Core Version: Development (trunk)
Keywords: crash Cc:

Description

On the 16th unique entry into the insert cache, it will need to be resized by pj_insert_cache() which has the source and destination arguments to memcpy reversed on line 157 of pj_initcache.c in the current trunk. This problem also exists in 4.7.0 where I found it during internal testing. The code is:

memcpy( cache_key, cache_key_new, sizeof(char*) * cache_count);

but we are actually trying to copy the contents of cache_key into cache_key_new so the code should be:

memcpy( cache_key_new, cache_key, sizeof(char*) * cache_count);

So, the correct code in context would be:

/*

** Grow list if required. */ if( cache_count == cache_alloc ) {

char **cache_key_new; paralist **cache_paralist_new;

cache_alloc = cache_alloc * 2 + 15;

cache_key_new = (char **) pj_malloc(sizeof(char*) * cache_alloc); memcpy( cache_key_new, cache_key, sizeof(char*) * cache_count); pj_dalloc( cache_key ); cache_key = cache_key_new;

Please do not hesitate to contact me with any questions.

Cordially,

Erik

Attachments

fix_ticket_74.patch Download (0.5 KB) - added by rouault 3 years ago.

Change History

Changed 3 years ago by rouault

  • summary changed from Crash on line 157 of pj_initcache.c when insert cache grows to [PATCH] Crash on line 157 of pj_initcache.c when insert cache grows

Looks quite reasonnable ! I have attached a patch with the proposed fix.

Changed 3 years ago by rouault

Changed 2 years ago by rouault

  • status changed from new to closed
  • resolution set to duplicate

Has been fixed by ticket #100

Note: See TracTickets for help on using tickets.