Whatever r32042 was supposed to fix in that file, it really broke R5 message

unflattening if they included any target or reply info. Changing the reader usage like this makes the first argument a pointer to a buffer. It would therefore write to random locations, because it would use the literal value of those header fields as pointers, crashing the using application. Will check for GCC4 compliance next. +alphabranch git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@32771 a95241bf-73f2-0310-859d-f6bbb57e9c96
2009-08-28 00:37:36 +00:00 · 2009-08-28 00:37:36 +00:00 · 77093be11a
parent 398211a6d9
commit 77093be11a
1 changed files with 6 additions and 4 deletions
--- a/src/kits/app/MessageAdapter.cpp
+++ b/src/kits/app/MessageAdapter.cpp
@ -180,6 +180,7 @@ MessageAdapter::Unflatten(uint32 format, BMessage *into, const char *buffer)
 			case MESSAGE_FORMAT_R5:
 			{
 				r5_message_header *header = (r5_message_header *)buffer;
+				debug_printf("creating memory io for message buffer %p with flattened size %ld\n", buffer, header->flattened_size);
 				BMemoryIO stream(buffer + sizeof(uint32),
 					header->flattened_size - sizeof(uint32));
 				return _UnflattenR5Message(format, into, &stream);
@ -188,6 +189,7 @@ MessageAdapter::Unflatten(uint32 format, BMessage *into, const char *buffer)
 			case MESSAGE_FORMAT_R5_SWAPPED:
 			{
 				r5_message_header *header = (r5_message_header *)buffer;
+				debug_printf("creating swapped memory io for message buffer %p with flattened size %ld\n", buffer, header->flattened_size);
 				BMemoryIO stream(buffer + sizeof(uint32),
 					__swap_int32(header->flattened_size) - sizeof(uint32));
 				return _UnflattenR5Message(format, into, &stream);
@ -519,13 +521,13 @@ MessageAdapter::_UnflattenR5Message(uint32 format, BMessage *into,

 	header->what = into->what = r5header.what;
 	if (r5header.flags & R5_MESSAGE_FLAG_INCLUDE_TARGET)
-		reader(header->target, sizeof(header->target));
+		reader(header->target);

 	if (r5header.flags & R5_MESSAGE_FLAG_INCLUDE_REPLY) {
 		// reply info
-		reader(header->reply_port, sizeof(header->reply_port));
-		reader(header->reply_target, sizeof(header->reply_target));
-		reader(header->reply_team, sizeof(header->reply_team));
+		reader(header->reply_port);
+		reader(header->reply_target);
+		reader(header->reply_team);

 		// big flags
 		uint8 bigFlag;