cpp: Fix memory corruption bug in TBufferedTransport::borrowSlow()

On one code path, the code would read data past the end of its buffer.

git-svn-id: https://svn.apache.org/repos/asf/incubator/thrift/trunk@920684 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp
index 7a7e5e9..6097130 100644 (file)
--- a/lib/cpp/src/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/transport/TBufferTransports.cpp
@@ -128,10 +128,11 @@ const uint8_t* TBufferedTransport::borrowSlow(uint8_t* buf, uint32_t* len) {
   if ((offset > rBufSize_/2) || (offset + need > rBufSize_)) {
     memmove(rBuf_.get(), rBase_, have);
     setReadBuffer(rBuf_.get(), have);
+    offset = have;
   }
 
   // First try to fill up the buffer.
-  uint32_t got = transport_->read(rBound_, rBufSize_ - have);
+  uint32_t got = transport_->read(rBound_, rBufSize_ - offset);
   rBound_ += got;
   need -= got;