THRIFT-5221: Fix stack overflow when reading buffer

Client: c_glib Patch: wangyunjian This closes #2161 Signed-off-by: wangyunjian <wangyunjian@huawei.com>
author: wangyunjian <wangyunjian@huawei.com> 2020-05-29 22:29:25 +0800
committer: Jens Geyer <jensg@apache.org> 2020-06-18 22:23:05 +0200
commit: 8b8633e8d805905868f359adf85d18326204a5d5 (patch)
tree: ac16ed99161f625778a51c4ee48fa70b7d67792e /lib/c_glib
parent: 1bed620c5f91cf60fd7c4e54f16714fd50ad807c (diff)
download: thrift-8b8633e8d805905868f359adf85d18326204a5d5.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/c_glib/src/thrift/c_glib/transport/thrift_buffered_transport.c b/lib/c_glib/src/thrift/c_glib/transport/thrift_buffered_transport.c
index 0ab3e9329..f13c5a329 100644
--- a/lib/c_glib/src/thrift/c_glib/transport/thrift_buffered_transport.c
+++ b/lib/c_glib/src/thrift/c_glib/transport/thrift_buffered_transport.c
@@ -79,7 +79,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
   gint ret = 0;
   guint32 want = len;
   guint32 got = 0;
-  guchar *tmpdata = g_alloca (len);
+  guchar *tmpdata = g_new0 (guchar, len);
   guint32 have = t->r_buf->len;
 
   /* we shouldn't hit this unless the buffer doesn't have enough to read */
@@ -102,12 +102,14 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
                                                                 tmpdata,
                                                                 want,
                                                                 error)) < 0) {
+      g_free (tmpdata);
       return ret;
     }
     got += ret;
 
     /* copy the data starting from where we left off */
     memcpy ((guint8 *)buf + have, tmpdata, got);
+    g_free (tmpdata);
     return got + have; 
   } else {
     guint32 give;
@@ -116,11 +118,12 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
                                                                 tmpdata,
                                                                 want,
                                                                 error)) < 0) {
+      g_free (tmpdata);
       return ret;
     }
     got += ret;
     t->r_buf = g_byte_array_append (t->r_buf, tmpdata, got);
-    
+    g_free (tmpdata);
     /* hand over what we have up to what the caller wants */
     give = want < t->r_buf->len ? want : t->r_buf->len;
author	wangyunjian <wangyunjian@huawei.com>	2020-05-29 22:29:25 +0800
committer	Jens Geyer <jensg@apache.org>	2020-06-18 22:23:05 +0200
commit	8b8633e8d805905868f359adf85d18326204a5d5 (patch)
tree	ac16ed99161f625778a51c4ee48fa70b7d67792e /lib/c_glib
parent	1bed620c5f91cf60fd7c4e54f16714fd50ad807c (diff)
download	thrift-8b8633e8d805905868f359adf85d18326204a5d5.tar.gz