From 7f1df992479fdcad208889e53b8b982e2428d250 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Sun, 5 May 2013 23:29:34 +0200 Subject: [PATCH] THRIFT-1932 TFileTransport::readEvent() casts values read from input stream into a pointer and then dereferences it. Patch: Hugo Mildenberger --- lib/cpp/src/thrift/transport/TFileTransport.cpp | 7 ++++--- lib/cpp/src/thrift/transport/TFileTransport.h | 5 +++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/cpp/src/thrift/transport/TFileTransport.cpp b/lib/cpp/src/thrift/transport/TFileTransport.cpp index 0cbf3571..4b6ea47f 100644 --- a/lib/cpp/src/thrift/transport/TFileTransport.cpp +++ b/lib/cpp/src/thrift/transport/TFileTransport.cpp @@ -711,9 +711,10 @@ eventInfo* TFileTransport::readEvent() { readState_.eventSizeBuff_[readState_.eventSizeBuffPos_++] = readBuff_[readState_.bufferPtr_++]; + if (readState_.eventSizeBuffPos_ == 4) { - // 0 length event indicates padding - if (*((uint32_t *)(readState_.eventSizeBuff_)) == 0) { + if (readState_.getEventSize() == 0) { + // 0 length event indicates padding // T_DEBUG_L(1, "Got padding"); readState_.resetState(readState_.lastDispatchPtr_); continue; @@ -724,7 +725,7 @@ eventInfo* TFileTransport::readEvent() { delete(readState_.event_); } readState_.event_ = new eventInfo(); - readState_.event_->eventSize_ = *((uint32_t *)(readState_.eventSizeBuff_)); + readState_.event_->eventSize_ = readState_.getEventSize(); // check if the event is corrupted and perform recovery if required if (isEventCorrupted()) { diff --git a/lib/cpp/src/thrift/transport/TFileTransport.h b/lib/cpp/src/thrift/transport/TFileTransport.h index edfc407c..267305d6 100644 --- a/lib/cpp/src/thrift/transport/TFileTransport.h +++ b/lib/cpp/src/thrift/transport/TFileTransport.h @@ -94,6 +94,11 @@ typedef struct readState { event_ = 0; } + inline uint32_t getEventSize() { + const void *buffer=reinterpret_cast(eventSizeBuff_); + return *reinterpret_cast(buffer); + } + readState() { event_ = 0; resetAllValues(); -- 2.17.1