From: Ben Reser <breser@apache.org>
Date: Wed, 8 Jan 2014 02:40:38 +0000 (+0000)
Subject: SECURITY: CVE-2013-6438 (cve.mitre.org)
X-Git-Tag: 2.5.0-alpha~4655
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02780d57bd9287c472c9ce5c25c6e46d04d67ea6;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing leading spaces.

* modules/dav/main/util.c
  (dav_xml_get_cdata): reduce len variable when increasing cdata pointer.

Submitted by: Amin Tora <Amin.Tora neustar.biz>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1556428 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 1f393401b2a..4e85a04f067 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -396,8 +396,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t
 
     if (strip_white) {
         /* trim leading whitespace */
-        while (apr_isspace(*cdata))     /* assume: return false for '\0' */
+        while (apr_isspace(*cdata)) {     /* assume: return false for '\0' */
             ++cdata;
+            --len;
+        }
 
         /* trim trailing whitespace */
         while (len-- > 0 && apr_isspace(cdata[len]))