THRIFT-5255: Fix stack overflow in framed transport

Client: c_glib
Patch: wangyunjian <wangyunjian@huawei.com>

This closes #2206

Signed-off-by: wangyunjian <wangyunjian@huawei.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/lib/c_glib/src/thrift/c_glib/transport/thrift_framed_transport.c b/lib/c_glib/src/thrift/c_glib/transport/thrift_framed_transport.c
index 1faf16ecb..f7b819260 100644
--- a/lib/c_glib/src/thrift/c_glib/transport/thrift_framed_transport.c
+++ b/lib/c_glib/src/thrift/c_glib/transport/thrift_framed_transport.c
@@ -98,7 +98,7 @@ thrift_framed_transport_read_frame (ThriftTransport *transport,
     sz = ntohl (sz);
 
     /* create a buffer to hold the data and read that much data */
-    tmpdata = g_alloca (sz);
+    tmpdata = g_new0 (guchar, sz);
     bytes = thrift_transport_read (t->transport, tmpdata, sz, error);
 
     if (bytes > 0 && (error == NULL || *error == NULL))
@@ -108,6 +108,7 @@ thrift_framed_transport_read_frame (ThriftTransport *transport,
 
       result = TRUE;
     }
+    g_free (tmpdata);
   }
 
   return result;
@@ -249,7 +250,7 @@ thrift_framed_transport_flush (ThriftTransport *transport, GError **error)
   sz_nbo = (gint32) htonl ((guint32) t->w_buf->len);
 
   /* copy the size of the frame and then the frame itself */
-  tmpdata = g_alloca (sz_hbo);
+  tmpdata = g_new0 (guchar, sz_hbo);
   memcpy (tmpdata, (guint8 *) &sz_nbo, sizeof (sz_nbo));
 
   if (t->w_buf->len > 0)
@@ -265,7 +266,7 @@ thrift_framed_transport_flush (ThriftTransport *transport, GError **error)
 
   THRIFT_TRANSPORT_GET_CLASS (t->transport)->flush (t->transport,
                                                     error);
-
+  g_free (tmpdata);
   return TRUE;
 }