Thrift-1451:FramedTransport: Prevent infinite loop when writing

Client: cpp
Patch: Dave Watson

Invoked test client with a big enough query to trigger the resize
code.

git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1211737 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp
index 52920c2..197a7ab 100644 (file)
--- a/lib/cpp/src/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/transport/TBufferTransports.cpp
@@ -211,6 +211,10 @@ void TFramedTransport::writeSlow(const uint8_t* buf, uint32_t len) {
   // Double buffer size until sufficient.
   uint32_t have = wBase_ - wBuf_.get();
   uint32_t new_size = wBufSize_;
+  if (len + have < have /* overflow */ || len + have > 0x7fffffff) {
+    throw TTransportException(TTransportException::BAD_ARGS,
+        "Attempted to write over 2 GB to TFramedTransport.");
+  }
   while (new_size < len + have) {
     new_size = new_size > 0 ? new_size * 2 : 1;
   }