From: Rainer Jung <rjung@apache.org>
Date: Thu, 25 Apr 2013 18:02:48 +0000 (+0000)
Subject: htdigest: Fix buffer overflow when reading digest
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0548ec7610f98228a3607fde86b2a4c82121f7fd;p=thirdparty%2Fapache%2Fhttpd.git

htdigest: Fix buffer overflow when reading digest
password file with very long lines.

PR 54893.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1475878 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index deca4432f09..802385cafe6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) htdigest: Fix buffer overflow when reading digest password file
+     with very long lines. PR 54893. [Rainer Jung]
+
   *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
      together. PR 54881. [Ruediger Pluem]
 
diff --git a/support/htdigest.c b/support/htdigest.c
index a8b464aedda..f76036d7a5b 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -96,12 +96,15 @@ static int get_line(char *s, int n, apr_file_t *f)
     char ch;
     apr_status_t rv = APR_EINVAL;
 
-    while (i < (n - 1) &&
+    /* we need 2 remaining bytes in buffer */
+    while (i < (n - 2) &&
            ((rv = apr_file_getc(&ch, f)) == APR_SUCCESS) && (ch != '\n')) {
         s[i++] = ch;
     }
+    /* First remaining byte potentially used here */
     if (ch == '\n')
         s[i++] = ch;
+    /* Second remaining byte used here */
     s[i] = '\0';
 
     if (rv != APR_SUCCESS)