My criticism has to do with your implementation.
There's no point in fixing exploitable code with
a differently exploitable implementation.  Just
buffer things in an internal array and merge the
string once at the end of the loop, and *not* as
you iterate over the elements of the range header.


From: Jim Jagielski <jim@jaguNET.com>
To: dev@httpd.apache.org
Sent: Thursday, August 25, 2011 5:10 PM
Subject: Re: svn commit: r1161661 - /httpd/httpd/trunk/modules/http/byterange_filter.c


On Aug 25, 2011, at 5:02 PM, Joe Schaefer wrote:

> +1, also has the advantage of not being a quadratic
> allocator the way Jim's usage of apr_pstrcat is.
>

So what, exactly, will ap_set_byterange() do…? It was
my impression that it created our r->range entry...