From 00e2310f12dfb91aca2949463b57bd6937f19166 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 8 May 2013 12:04:18 -0400 Subject: Don't run off the end of the array-of-freelists This is a fix for bug 8844, where eugenis correctly notes that there's a sentinel value at the end of the list-of-freelists that's never actually checked. It's a bug since the first version of the chunked buffer code back in 0.2.0.16-alpha. This would probably be a crash bug if it ever happens, but nobody's ever reported something like this, so I'm unsure whether it can occur. It would require write_to_buf, write_to_buf_zlib, read_to_buf, or read_to_buf_tls to get an input size of more than 32K. Still, it's a good idea to fix this kind of thing! --- changes/bug8844 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changes/bug8844 (limited to 'changes') diff --git a/changes/bug8844 b/changes/bug8844 new file mode 100644 index 0000000000..320e5f2845 --- /dev/null +++ b/changes/bug8844 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + -- cgit v1.2.3-54-g00ecf