Heap corruption in hashtable code

[Lutz Justen]

Hi, I'm getting a heap corruption error (write after end of heap buffer) using librsync on Windows:

Debug Error ! Program :- Heap Corruption detected : after normal block ...CRT detected that the application wrote memory after end of heap buffer.

It happens in hashtable.c at

  free(t->kbloom);

It seems like the allocation of kbloom is wrong:

if (!(t->kbloom = calloc(size2 / 8, sizeof(unsigned char)))) {

IIUC kbloom is a bit set, so it should round up to the next number of bytes:

if (!(t->kbloom = calloc((size2 + 7) / 8, sizeof(unsigned char)))) {

Does this make sense?

Thanks,

- Lutz

[Donovan Baarda]

Yes, it does.

I was going to say "yes, but size2 is always a power of two greater than or equal to 8, so it's always divisable by 8", but looking at the code again I can't see the "greater than or equal to 8" bit. I could have sworn I had code in for that at one point, but maybe it got lost in the edit/merge process.

This needs to be fixed.

Thanks,

- Lutz

--
You received this message because you are subscribed to the Google Groups "librsync" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librsync+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/librsync/023e4169-3663-4d79-8e25-71df310d08c0o%40googlegroups.com.

[lju...@google.com]

Thanks, I've created https://github.com/librsync/librsync/pull/213.