httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/mappers mod_negotiation.c
Date Tue, 12 Mar 2002 13:30:25 GMT
striker     02/03/12 05:30:25

  Modified:    modules/mappers mod_negotiation.c
  Log:
  Resolve the issue Jeff pointed out in his recently added comment.  That
  is, prevent a possible segfault or finding a tag in reused memory.
  
  Revision  Changes    Path
  1.97      +8 -6      httpd-2.0/modules/mappers/mod_negotiation.c
  
  Index: mod_negotiation.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_negotiation.c,v
  retrieving revision 1.96
  retrieving revision 1.97
  diff -u -r1.96 -r1.97
  --- mod_negotiation.c	12 Mar 2002 11:48:32 -0000	1.96
  +++ mod_negotiation.c	12 Mar 2002 13:30:24 -0000	1.97
  @@ -794,8 +794,12 @@
   {
       char *endbody;
       int bodylen;
  +    int taglen;
       apr_off_t pos;
   
  +    taglen = strlen(tag);
  +    *len -= taglen;
  +
       /* We are at the first character following a body:tag\n entry 
        * Suck in the body, then backspace to the first char after the 
        * closing tag entry.  If we fail to read, find the tag or back
  @@ -803,13 +807,11 @@
        */
       if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
           return -1;
  -    }      
  -    /* XXX next line can go beyond allocated storage and segfault,
  -     *     or worse yet go beyond data read but not beyond allocated
  -     *     storage and think it found the tag
  -     */
  +    }
  +
  +    strncpy(buffer + *len, tag, taglen);
       endbody = strstr(buffer, tag);
  -    if (!endbody) {
  +    if (endbody == buffer + *len) {
           return -1;
       }
       bodylen = endbody - buffer;
  
  
  

Mime
View raw message