Peter Wu
changed
bug 9579
What |
Removed |
Added |
Status |
UNCONFIRMED
|
CONFIRMED
|
CC |
|
[email protected]
|
Ever confirmed |
|
1
|
Comment # 5
on bug 9579
from Peter Wu
For some reason, ch has become choice + 3 which is past the choice array:
(gdb) p ch
$14 = (const ber_choice_t *) 0x7ffff34c5db8
(gdb) p choice
$15 = (const ber_choice_t *) 0x7ffff34c5d40 <RegisterResponse_choice>
(gdb) p choice + 1
$16 = (const ber_choice_t *) 0x7ffff34c5d68 <RegisterResponse_choice+40>
(gdb) p choice + 2
$17 = (const ber_choice_t *) 0x7ffff34c5d90 <RegisterResponse_choice+80>
(gdb) p choice + 3
$18 = (const ber_choice_t *) 0x7ffff34c5db8
// choice is an array of size 3 with the last element being empty
ch = choice;
while (ch->func || first_pass) {
// ...
choice_try_again:
// ...
if ((count == 0) && (((ch->ber_class == ber_class) && (ch->tag == -1) &&
(ch->flags & BER_FLAGS_NOOWNTAG)) || !first_pass)) {
ch++; // (1)
goto choice_try_again; // <-- oops
}
// ...
ch++;
}
&choice[1] is the last non-empty element. If (1) gets executed twice, then ch =
&choice[3] which is past the buffer. That piece of code really needs closer
attention (ifdef REMOVED?!), but I am unfamiliar with BER and do not know the
correct way to fix this (throw exception? break unconditionally? break if
!first_pass?).
You are receiving this mail because:
- You are watching all bug changes.