The function http_replace_value use bad variable to detect the end
of the input string.
Regression introduced by the patch "MEDIUM: regex: Remove null
terminated strings." (
c9c2daf2)
We need to backport this patch int the 1.5 stable branch.
WT: there is no possibility to overwrite existing data as we only read
past the end of the request buffer, to copy into the trash. The copy
is bounded by buffer_replace2(), just like the replacement performed
by exp_replace(). However if a buffer happens to contain non-zero data
up to the next unmapped page boundary, there's a theorical risk of
crashing the process despite this not being reproducible in tests.
The risk is low because "http-request replace-value" did not work due
to this bug so that probably means it's not used yet.
/* look for delim. */
p_delim = p;
- while (p_delim < p + len && *p_delim != delim)
+ while (p_delim < val + len && *p_delim != delim)
p_delim++;
if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch, 0)) {
return -1;
/* end of the replacements. */
- if (p_delim >= p + len)
+ if (p_delim >= val + len)
break;
/* Next part. */