From 71a1530c74340e95a95a1b0b6c5699fbc082a9d9 Mon Sep 17 00:00:00 2001
From: David Reiss <dreiss@apache.org>
Date: Tue, 9 Mar 2010 05:20:12 +0000
Subject: [PATCH] cpp: Fix memory corruption bug in
 TBufferedTransport::borrowSlow()

On one code path, the code would read data past the end of its buffer.

git-svn-id: https://svn.apache.org/repos/asf/incubator/thrift/trunk@920684 13f79535-47bb-0310-9956-ffa450edef68
---
 lib/cpp/src/transport/TBufferTransports.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp
index 7a7e5e92..6097130b 100644
--- a/lib/cpp/src/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/transport/TBufferTransports.cpp
@@ -128,10 +128,11 @@ const uint8_t* TBufferedTransport::borrowSlow(uint8_t* buf, uint32_t* len) {
   if ((offset > rBufSize_/2) || (offset + need > rBufSize_)) {
     memmove(rBuf_.get(), rBase_, have);
     setReadBuffer(rBuf_.get(), have);
+    offset = have;
   }
 
   // First try to fill up the buffer.
-  uint32_t got = transport_->read(rBound_, rBufSize_ - have);
+  uint32_t got = transport_->read(rBound_, rBufSize_ - offset);
   rBound_ += got;
   need -= got;
 
-- 
2.17.1