httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1199410 - /httpd/httpd/trunk/modules/filters/mod_substitute.c
Date Tue, 08 Nov 2011 19:41:06 GMT
Author: sf
Date: Tue Nov  8 19:41:05 2011
New Revision: 1199410

URL: http://svn.apache.org/viewvc?rev=1199410&view=rev
Log:
Fix up some length limit calculation

Modified:
    httpd/httpd/trunk/modules/filters/mod_substitute.c

Modified: httpd/httpd/trunk/modules/filters/mod_substitute.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_substitute.c?rev=1199410&r1=1199409&r2=1199410&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/filters/mod_substitute.c (original)
+++ httpd/httpd/trunk/modules/filters/mod_substitute.c Tue Nov  8 19:41:05 2011
@@ -246,15 +246,19 @@ static apr_status_t do_pattmatch(ap_filt
                         }
                         else {
                             apr_size_t repl_len;
+                            /* acount for string before the match */
+                            if (space_left <= regm[0].rm_so)
+                                return APR_ENOMEM;
+                            space_left -= regm[0].rm_so;
                             rv = ap_pregsub_ex(pool, &repl,
                                                script->replacement, pos,
                                                AP_MAX_REG_MATCH, regm,
                                                space_left);
                             if (rv != APR_SUCCESS)
                                 return rv;
-                            len = (apr_size_t) (regm[0].rm_eo - regm[0].rm_so);
                             repl_len = strlen(repl);
-                            space_left -= len + repl_len;
+                            space_left -= repl_len;
+                            len = (apr_size_t) (regm[0].rm_eo - regm[0].rm_so);
                             SEDRMPATBCKT(b, regm[0].rm_so, tmp_b, len);
                             tmp_b = apr_bucket_transient_create(repl, repl_len,
                                                 f->r->connection->bucket_alloc);



Mime
View raw message