16 년 전 · cefe0a1959
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -1019,8 +1019,10 @@ static int
 
				 buf_find_pos_of_char(char ch, buf_pos_t *out)
			
 
				 {
			
 
				   const chunk_t *chunk;
			
 
				-  int offset = 0;
			
 
				-  int pos = out->pos;
			
 
				+  int offset = 0; /*XXXX020 should this be pos_absolute? Otherwise, bug. */
			
 
				+  int pos;
			
 
				+  tor_assert(out && out->chunk && out->pos < (int)out->chunk->datalen);
			
 
				+  pos = out->pos;
			
 
				   for (chunk = out->chunk; chunk; chunk = chunk->next) {
			
 
				     char *cp = memchr(chunk->data+pos, ch, chunk->datalen-pos);
			
 
				     if (cp) {
			
--- a/src/or/dirvote.c
+++ b/src/or/dirvote.c
@@ -1787,16 +1787,17 @@ dirvote_add_signatures_to_pending_consensus(
 
				     char *new_detached =
			
 
				       networkstatus_get_detached_signatures(pending_consensus);
			
 
				     const char *src;
			
 
				-    char *dst;
			
 
				+    char *dst, *dst_end;
			
 
				     size_t new_consensus_len =
			
 
				       strlen(pending_consensus_body) + strlen(new_detached) + 1;
			
 
				     pending_consensus_body = tor_realloc(pending_consensus_body,
			
 
				                                          new_consensus_len);
			
 
				+    dst_end = pending_consensus_body + new_consensus_len;
			
 
				     dst = strstr(pending_consensus_body, "directory-signature ");
			
 
				     tor_assert(dst);
			
 
				     src = strstr(new_detached, "directory-signature ");
			
 
				     tor_assert(src);
			
 
				-    strlcpy(dst, src, new_consensus_len - (dst-pending_consensus_body));
			
 
				+    strlcpy(dst, src, dst_end-dst);
			
 
				 
			
 
				     /* We remove this block once it has failed to crash for a while.  But
			
 
				      * unless it shows up in profiles, we're probably better leaving it in,
			
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2704,6 +2704,7 @@ get_next_token(const char **s, const char *eos, token_rule_t *table)
 
				 
			
 
				   /* Set *s to first token, eol to end-of-line, next to after first token */
			
 
				   *s = eat_whitespace_eos(*s, eos); /* eat multi-line whitespace */
			
 
				+  tor_assert(eos >= *s);
			
 
				   eol = memchr(*s, '\n', eos-*s);
			
 
				   if (!eol)
			
 
				     eol = eos;
			
@@ -2775,11 +2776,13 @@ get_next_token(const char **s, const char *eos, token_rule_t *table)
 
				 
			
 
				   /* Check whether there's an object present */
			
 
				   *s = eat_whitespace_eos(eol, eos);  /* Scan from end of first line */
			
 
				+  tor_assert(eos >= *s);
			
 
				   eol = memchr(*s, '\n', eos-*s);
			
 
				   if (!eol || eol-*s<11 || strcmpstart(*s, "-----BEGIN ")) /* No object. */
			
 
				     goto check_object;
			
 
				 
			
 
				   obstart = *s; /* Set obstart to start of object spec */
			
 
				+  tor_assert(eol >= (*s+16));
			
 
				   if (*s+11 >= eol-5 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
			
 
				       strcmp_len(eol-5, "-----", 5)) {          /* nuls or invalid endings */
			
 
				     RET_ERR("Malformed object: bad begin line");
			
@@ -2793,6 +2796,7 @@ get_next_token(const char **s, const char *eos, token_rule_t *table)
 
				   if (!next) {
			
 
				     RET_ERR("Malformed object: missing object end line");
			
 
				   }
			
 
				+  tor_assert(eos >= next);
			
 
				   eol = memchr(next, '\n', eos-next);
			
 
				   if (!eol)  /* end-of-line marker, or eos if there's no '\n' */
			
 
				     eol = eos;