[omniORB] bug in omniORB4 Windows registry code

Norrie Quinn norrie.quinn@tumbleweed.com
Thu Jun 27 00:44:00 2002


We accidentally hit this memory corruption bug when any omniORB4 registry
value is empty.  The call to strlen() returns 0 causing the '\0' to be
assigned elsewhere.

diff -c -r1.1.1.1 orbOptionsReg.cc
*** orbOptionsReg.cc	4 Apr 2002 22:48:13 -0000	1.1.1.1
--- orbOptionsReg.cc	26 Jun 2002 23:22:35 -0000
***************
*** 172,190 ****
    while ( isspace(*p) )
      p++;
    key = p;
!   p += strlen(key) - 1;
!   while ( isspace(*p) )
!     p--;
!   *(++p) = '\0';
  
    p = valuebuf;
    while ( isspace(*p) )
      p++;
    value = p;
!   p += strlen(value) - 1;
!   while ( isspace(*p) )
!     p--;
!   *(++p) = '\0';
  
    return 1;
  }
--- 172,194 ----
    while ( isspace(*p) )
      p++;
    key = p;
!   if ( *p != '\0' ) {
!     p += strlen(key) - 1;
!     while ( isspace(*p) )
!       p--;
!     *(++p) = '\0';
!   }
  
    p = valuebuf;
    while ( isspace(*p) )
      p++;
    value = p;
!   if ( *p != '\0' ) {
!     p += strlen(value) - 1;
!     while ( isspace(*p) )
!       p--;
!     *(++p) = '\0';
!   }
  
    return 1;
  }

Regards
Norrie
_______________________________________________________________
Norrie Quinn                                       650 216 2533
Tumbleweed Communications Corp.     norrie.quinn@tumbleweed.com