Return-Path: 
 <dev-return-44155-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 4617 invoked from network); 21 Sep 2004 15:02:09 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 21 Sep 2004 15:02:09 -0000
Received: (qmail 8441 invoked by uid 500); 21 Sep 2004 15:00:54 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 8268 invoked by uid 500); 21 Sep 2004 15:00:52 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 8192 invoked by uid 99); 21 Sep 2004 15:00:51 -0000
X-ASF-Spam-Status: No, hits=0.1 required=10.0
	tests=DNS_FROM_RFC_ABUSE
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: local policy)
Received: from [200.48.36.8] (HELO smtp3.terra.com.pe) (200.48.36.8)
  by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 21 Sep 2004 08:00:51 -0700
Received: from [192.168.1.65] (unknown [200.106.22.165])
	by smtp3.terra.com.pe (Postfix) with ESMTP id D91EE17F4DB
	for <dev@httpd.apache.org>; Tue, 21 Sep 2004 10:01:56 -0500 (PET)
Mime-Version: 1.0 (Apple Message framework v619)
Content-Transfer-Encoding: 7bit
Message-Id: <0592F3CC-0BDF-11D9-9AB2-000A957D48A8@speedy.com.pe>
Content-Type: text/plain; charset=US-ASCII; format=flowed
To: dev@httpd.apache.org
From: Rici Lake <ricilake@speedy.com.pe>
Subject: Possible error in apr_rgetline_core
Date: Tue, 21 Sep 2004 10:00:48 -0500
X-Mailer: Apple Mail (2.619)
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Lines 250-263 of server/protocol.c:

250        /* Would this overrun our buffer?  If so, we'll die. */
251        if (n < bytes_handled + len) {
252            *read = bytes_handled;
253            if (*s) {
254                /* ensure this string is terminated */
255                if (bytes_handled < n) {
256                    (*s)[bytes_handled-1] = '\0';
257                }
258                else {
259                    (*s)[n-1] = '\0';
260                }
261            }
262            return APR_ENOSPC;
263        }

The first time through this loop, bytes_handled will be 0. If the 
buffer was provided, rather than being allocated by ap_rgetline_core, 
and the first read exceeded the maximum length (n), then line 256 will 
set the byte *before* the buffer to 0.

I believe that the change introduced at revision 1.152 is incorrect; 
the test at line 255 ensures that the buffer will not be overrun, so 
the change from bytes_handled to bytes_handled-1 in line 256 was 
unnecessary.

Rici