* modules/filters/mod_include.c (ap_ssi_parse_string): Fix off-by-one

which would truncate variables of length N*64 by one byte.

PR: 32985
Reviewed by: jorton, trawick, stoddard

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@125747 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 085341083ee04264d018f38ec5285c8b30fbbf0b..f53888d39bc7ba8fe16fc86f457387f1fd6eec5a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.53
 
+  *) mod_include: Fix bug which could truncate variable expansions
+     of N*64 characters by one byte.  PR 32985.  [Joe Orton]
+
   *) Correct handling of certain bucket types in ap_save_brigade, fixing
      possible segfaults in mod_cgi with #include virtual.  PR 31247.
      [Joe Orton]

diff --git a/STATUS b/STATUS
index ce970b5fd57efee80d404a5ba3b62e5b2539f7ae..c9dc58d27bf7a4e23cb0fd010d8aab94b93e55f5 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -75,12 +75,6 @@ PATCHES TO BACKPORT FROM 2.1
   [ please place file names and revisions from HEAD here, so it is easy to
     identify exactly what the proposed changes are! ]
 
-    *) mod_include: fix an off-by-one which truncates the last character
-       off an N*64 character variable expansion (in some cases).
-       http://issues.apache.org/bugzilla/attachment.cgi?id=14025
-       PR: 32985
-       +1: jorton, trawick, stoddard
-
     *) mod_ssl: fail quickly if SSL connection is aborted rather than
        making many doomed ap_pass_brigade calls
        http://svn.apache.org/viewcvs?view=rev&rev=125166

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 751f9086e3ef47ae7b43f6bd9fd63de802bc125e..a9ad033136c357d5af90e2a2c8da35822e2818d3 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -616,7 +616,7 @@ static char *ap_ssi_parse_string(request_rec *r, include_ctx_t *ctx,
                     char *new_out;
                     do {
                         new_out_size *= 2;
-                    } while (new_out_size < current_length + l);
+                    } while (new_out_size < current_length + l + 1); /* +1 for NUL */
                     if (new_out_size > length) {
                         new_out_size = length;
                     }