From 99d911bad474a7c6844713b35fbd805a8b1b8ace Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rambler-co.ru>
Date: Tue, 15 Mar 2011 01:20:03 +0300
Subject: [PATCH] Fix memory corruption in memory pools library. While in here
 use guint8 for all pointers.

---
 src/mem_pool.c | 37 ++++++++++++++++++++++++++-----------
 src/mem_pool.h | 16 +++++-----------
 2 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/src/mem_pool.c b/src/mem_pool.c
index ac870d42b..85b4a1233 100644
--- a/src/mem_pool.c
+++ b/src/mem_pool.c
@@ -53,6 +53,19 @@ pthread_mutex_t                 stat_mtx = PTHREAD_MUTEX_INITIALIZER;
 /* Internal statistic */
 static memory_pool_stat_t      *mem_pool_stat = NULL;
 
+/**
+ * Function that return free space in pool page
+ * @param x pool page struct
+ */
+static gsize
+pool_chain_free (struct _pool_chain *chain)
+{
+	guint8                         *p;
+
+	p = align_ptr (chain->pos, MEM_ALIGNMENT);
+	return chain->len - (p - chain->begin);
+}
+
 static struct _pool_chain      *
 pool_chain_new (gsize size)
 {
@@ -96,7 +109,7 @@ pool_chain_new_shared (gsize size)
 		abort ();
 	}
 	chain = (struct _pool_chain_shared *)map;
-	chain->begin = ((u_char *) chain) + sizeof (struct _pool_chain_shared);
+	chain->begin = ((guint8 *) chain) + sizeof (struct _pool_chain_shared);
 #elif defined(HAVE_MMAP_ZERO)
 	gint                            fd;
 
@@ -110,7 +123,7 @@ pool_chain_new_shared (gsize size)
 		abort ();
 	}
 	chain = (struct _pool_chain_shared *)map;
-	chain->begin = ((u_char *) chain) + sizeof (struct _pool_chain_shared);
+	chain->begin = ((guint8 *) chain) + sizeof (struct _pool_chain_shared);
 #else
 #   	error No mmap methods are defined
 #endif
@@ -185,7 +198,7 @@ memory_pool_new (gsize size)
 void                           *
 memory_pool_alloc (memory_pool_t * pool, gsize size)
 {
-	u_char                         *tmp;
+	guint8                         *tmp;
 	struct _pool_chain             *new, *cur;
 
 	if (pool) {
@@ -195,10 +208,10 @@ memory_pool_alloc (memory_pool_t * pool, gsize size)
 		cur = pool->cur_pool;
 #endif
 		/* Find free space in pool chain */
-		while (memory_pool_free (cur) < size && cur->next) {
+		while (pool_chain_free (cur) < size && cur->next) {
 			cur = cur->next;
 		}
-		if (cur->next == NULL && memory_pool_free (cur) < size) {
+		if (cur->next == NULL) {
 			/* Allocate new pool */
 			if (cur->len >= size) {
 				new = pool_chain_new (cur->len);
@@ -300,7 +313,7 @@ memory_pool_strdup_shared (memory_pool_t * pool, const gchar *src)
 void                           *
 memory_pool_alloc_shared (memory_pool_t * pool, gsize size)
 {
-	u_char                         *tmp;
+	guint8                         *tmp;
 	struct _pool_chain_shared      *new, *cur;
 
 	if (pool) {
@@ -313,10 +326,10 @@ memory_pool_alloc_shared (memory_pool_t * pool, gsize size)
 		}
 
 		/* Find free space in pool chain */
-		while (memory_pool_free (cur) < size && cur->next) {
+		while (pool_chain_free ((struct _pool_chain *)cur) < size && cur->next) {
 			cur = cur->next;
 		}
-		if (cur->next == NULL && memory_pool_free (cur) < size) {
+		if (cur->next == NULL) {
 			/* Allocate new pool */
 			if (cur->len >= size) {
 				new = pool_chain_new_shared (cur->len);
@@ -350,7 +363,7 @@ memory_pool_find_pool (memory_pool_t * pool, void *pointer)
 	struct _pool_chain_shared      *cur = pool->shared_pool;
 
 	while (cur) {
-		if ((u_char *) pointer >= cur->begin && (u_char *) pointer <= (cur->begin + cur->len)) {
+		if ((guint8 *) pointer >= cur->begin && (guint8 *) pointer <= (cur->begin + cur->len)) {
 			return cur;
 		}
 		cur = cur->next;
@@ -382,7 +395,9 @@ __mutex_spin (memory_pool_mutex_t * mutex)
 	__asm                           __volatile ("pause");
 #elif defined(HAVE_SCHED_YIELD)
 	(void)sched_yield ();
-#elif defined(HAVE_NANOSLEEP)
+#endif
+
+#if defined(HAVE_NANOSLEEP)
 	struct timespec                 ts;
 	ts.tv_sec = 0;
 	ts.tv_nsec = MUTEX_SLEEP_TIME;
@@ -441,7 +456,7 @@ void
 memory_pool_add_destructor_full (memory_pool_t * pool, pool_destruct_func func, void *data,
 		const gchar *function, const gchar *line)
 {
-	struct _pool_destructors       *cur, *tmp;
+	struct _pool_destructors       *cur;
 
 	cur = memory_pool_alloc (pool, sizeof (struct _pool_destructors));
 	if (cur) {
diff --git a/src/mem_pool.h b/src/mem_pool.h
index d25a4dc2f..62f6dcb9a 100644
--- a/src/mem_pool.h
+++ b/src/mem_pool.h
@@ -39,8 +39,8 @@ typedef struct memory_pool_mutex_s {
  * Pool page structure
  */
 struct _pool_chain {
-	u_char *begin;					/**< begin of pool chain block 				*/
-	u_char *pos;					/**< current start of free space in block 	*/
+	guint8 *begin;					/**< begin of pool chain block 				*/
+	guint8 *pos;					/**< current start of free space in block 	*/
 	gsize len;		/**< length of block 						*/
 	struct _pool_chain *next;		/**< chain link 							*/
 };
@@ -49,11 +49,11 @@ struct _pool_chain {
  * Shared pool page
  */
 struct _pool_chain_shared {
-	u_char *begin;
-	u_char *pos;
+	guint8 *begin;
+	guint8 *pos;
 	gsize len;
-	memory_pool_mutex_t *lock;
 	struct _pool_chain_shared *next;
+	memory_pool_mutex_t *lock;
 };
 
 /**
@@ -268,10 +268,4 @@ void memory_pool_set_variable (memory_pool_t *pool, const gchar *name, gpointer
 gpointer memory_pool_get_variable (memory_pool_t *pool, const gchar *name);
 
 
-/**
- * Macro that return free space in pool page
- * @param x pool page struct
- */
-#define memory_pool_free(x) ((x)->len - (align_ptr((x)->pos, MEM_ALIGNMENT) - (x)->begin))
-
 #endif
-- 
2.39.5