From b00ebfe4609b827bd202a2238137c088238e70e3 Mon Sep 17 00:00:00 2001 From: zhangyi Date: Fri, 29 Mar 2019 15:12:15 +0800 Subject: [PATCH] memory access may out of bounds --- src/ipc.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) mode change 100644 => 100755 src/ipc.cpp diff --git a/src/ipc.cpp b/src/ipc.cpp old mode 100644 new mode 100755 index d19e978..47ca491 --- a/src/ipc.cpp +++ b/src/ipc.cpp @@ -57,9 +57,10 @@ struct msg_t { } }; -buff_t make_cache(void const * data, std::size_t size) { +template +buff_t make_cache(T& data, std::size_t size) { auto ptr = mem::alloc(size); - std::memcpy(ptr, data, size); + std::memcpy(ptr, &data, (std::min)(sizeof(data), size)); return { ptr, size, mem::free }; } @@ -72,8 +73,10 @@ struct cache_t { {} void append(void const * data, std::size_t size) { - std::memcpy(static_cast(buff_.data()) + fill_, data, size); - fill_ += size; + if (fill_ >= buff_.size() || data == nullptr || size == 0) return; + auto new_fill = (std::min)(fill_ + size, buff_.size()); + std::memcpy(static_cast(buff_.data()) + fill_, data, new_fill - fill_); + fill_ = new_fill; } }; @@ -284,7 +287,7 @@ static buff_t recv(ipc::handle_t h, std::size_t tm) { auto cac_it = rc.find(msg.head_.id_); if (cac_it == rc.end()) { if (remain <= data_length) { - return make_cache(&(msg.data_), remain); + return make_cache(msg.data_, remain); } else { // gc @@ -299,7 +302,7 @@ static buff_t recv(ipc::handle_t h, std::size_t tm) { for (auto id : need_del) rc.erase(id); } // cache the first message fragment - rc.emplace(msg.head_.id_, cache_t { data_length, make_cache(&(msg.data_), remain) }); + rc.emplace(msg.head_.id_, cache_t { data_length, make_cache(msg.data_, remain) }); } } // has cached before this message