From f05e1486e4b213842d362f8be62cd0352f29fbe3 Mon Sep 17 00:00:00 2001 From: Jake Farrell Date: Thu, 8 Dec 2011 02:08:38 +0000 Subject: [PATCH] Thrift-1451:FramedTransport: Prevent infinite loop when writing Client: cpp Patch: Dave Watson Invoked test client with a big enough query to trigger the resize code. git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1211737 13f79535-47bb-0310-9956-ffa450edef68 --- lib/cpp/src/transport/TBufferTransports.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/cpp/src/transport/TBufferTransports.cpp b/lib/cpp/src/transport/TBufferTransports.cpp index 52920c22..197a7ab4 100644 --- a/lib/cpp/src/transport/TBufferTransports.cpp +++ b/lib/cpp/src/transport/TBufferTransports.cpp @@ -211,6 +211,10 @@ void TFramedTransport::writeSlow(const uint8_t* buf, uint32_t len) { // Double buffer size until sufficient. uint32_t have = wBase_ - wBuf_.get(); uint32_t new_size = wBufSize_; + if (len + have < have /* overflow */ || len + have > 0x7fffffff) { + throw TTransportException(TTransportException::BAD_ARGS, + "Attempted to write over 2 GB to TFramedTransport."); + } while (new_size < len + have) { new_size = new_size > 0 ? new_size * 2 : 1; } -- 2.17.1