From: Jake Farrell <jfarrell@apache.org>
Date: Thu, 8 Dec 2011 02:08:38 +0000 (+0000)
Subject: Thrift-1451:FramedTransport: Prevent infinite loop when writing
X-Git-Tag: 0.9.1~510
X-Git-Url: https://source.supwisdom.com/gerrit/gitweb?a=commitdiff_plain;h=f05e1486e4b213842d362f8be62cd0352f29fbe3;p=common%2Fthrift.git

Thrift-1451:FramedTransport: Prevent infinite loop when writing
Client: cpp
Patch: Dave Watson

Invoked test client with a big enough query to trigger the resize
code.



git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1211737 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp
index 52920c22..197a7ab4 100644
--- a/lib/cpp/src/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/transport/TBufferTransports.cpp
@@ -211,6 +211,10 @@ void TFramedTransport::writeSlow(const uint8_t* buf, uint32_t len) {
   // Double buffer size until sufficient.
   uint32_t have = wBase_ - wBuf_.get();
   uint32_t new_size = wBufSize_;
+  if (len + have < have /* overflow */ || len + have > 0x7fffffff) {
+    throw TTransportException(TTransportException::BAD_ARGS,
+        "Attempted to write over 2 GB to TFramedTransport.");
+  }
   while (new_size < len + have) {
     new_size = new_size > 0 ? new_size * 2 : 1;
   }