Fix heap corruption when copying too much data onto an item.

kroki · dustin · commit 74d52354bb72 · 2008-06-18T11:35:20.000-07:00
(Dustin:)
I wrote a fuzz test that would consistently crash in assoc_find, but
after this change the test failed to break things and my fuzz
generator couldn't produce another breaking case.
diff --git a/memcached.c b/memcached.c
@@ -1527,7 +1527,7 @@ char *do_add_delta(item *it, const bool incr, const int64_t delta, char *buf) {
             return "SERVER_ERROR out of memory in incr/decr";
         }
         memcpy(ITEM_data(new_it), buf, res);
-        memcpy(ITEM_data(new_it) + res, "\r\n", 3);
+        memcpy(ITEM_data(new_it) + res, "\r\n", 2);
         do_item_replace(it, new_it);
         do_item_remove(new_it);       /* release our reference */
     } else { /* replace in-place */

Original file line number	Diff line number	Diff line change
`@@ -1527,7 +1527,7 @@ char do_add_delta(item it, const bool incr, const int64_t delta, char *buf) {`
`1527`	`1527`	`return "SERVER_ERROR out of memory in incr/decr";`
`1528`	`1528`	`}`
`1529`	`1529`	`memcpy(ITEM_data(new_it), buf, res);`
`1530`		`- memcpy(ITEM_data(new_it) + res, "\r\n", 3);`
	`1530`	`+ memcpy(ITEM_data(new_it) + res, "\r\n", 2);`
`1531`	`1531`	`do_item_replace(it, new_it);`
`1532`	`1532`	`do_item_remove(new_it); /* release our reference */`
`1533`	`1533`	`} else { /* replace in-place */`