heap buffer over-read in ms_wdv.c (reported both by San Zhang and Merih Mengisteab)

author Vincent Deffontaines <gryzor@apache.org>

Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)

committer Vincent Deffontaines <gryzor@apache.org>

Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)
author Vincent Deffontaines <gryzor@apache.org>
Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)
committer Vincent Deffontaines <gryzor@apache.org>
Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)
diff --git a/modules/dav/main/ms_wdv.c b/modules/dav/main/ms_wdv.c

index 4e748683d6fdacafbd66ae9aa915e45c1dcad18e..cd9bb10cf532982665900c32fb7840671d0e25f8 100644 (file)
--- a/modules/dav/main/ms_wdv.c
+++ b/modules/dav/main/ms_wdv.c
@@ -649,7 +649,7 @@ static dav_error *mswdv_combined_proppatch(request_rec *r)
       * need to copy the PROPPATCH data to perform subrequest in
       * dav_mswdv_postprocessing().
       */
-    proppatch_data = apr_palloc(r->pool, proppatch_len);
+    proppatch_data = apr_palloc(r->pool, proppatch_len + 1);
  
      len = proppatch_len;
      status = apr_brigade_flatten(bb, proppatch_data, &len);
@@ -657,6 +657,8 @@ static dav_error *mswdv_combined_proppatch(request_rec *r)
          return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, status,
                               "Error flattening PROPPATCH part");
  
+    proppatch_data[len] = '\0';
+
      apr_table_setn(r->notes, "dav_mswdv_proppatch_data", proppatch_data);
  
      apr_brigade_destroy(bb);
author	Vincent Deffontaines <gryzor@apache.org>
	Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)
committer	Vincent Deffontaines <gryzor@apache.org>
	Fri, 10 Apr 2026 13:35:48 +0000 (13:35 +0000)