From: David Reiss <dreiss@apache.org>
Date: Tue, 9 Mar 2010 05:20:12 +0000 (+0000)
Subject: cpp: Fix memory corruption bug in TBufferedTransport::borrowSlow()
X-Git-Tag: 0.3.0~75
X-Git-Url: https://source.supwisdom.com/gerrit/gitweb?a=commitdiff_plain;h=71a1530c74340e95a95a1b0b6c5699fbc082a9d9;p=common%2Fthrift.git

cpp: Fix memory corruption bug in TBufferedTransport::borrowSlow()

On one code path, the code would read data past the end of its buffer.

git-svn-id: https://svn.apache.org/repos/asf/incubator/thrift/trunk@920684 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp
index 7a7e5e92..6097130b 100644
--- a/lib/cpp/src/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/transport/TBufferTransports.cpp
@@ -128,10 +128,11 @@ const uint8_t* TBufferedTransport::borrowSlow(uint8_t* buf, uint32_t* len) {
   if ((offset > rBufSize_/2) || (offset + need > rBufSize_)) {
     memmove(rBuf_.get(), rBase_, have);
     setReadBuffer(rBuf_.get(), have);
+    offset = have;
   }
 
   // First try to fill up the buffer.
-  uint32_t got = transport_->read(rBound_, rBufSize_ - have);
+  uint32_t got = transport_->read(rBound_, rBufSize_ - offset);
   rBound_ += got;
   need -= got;