From: Rainer Jung <rjung@apache.org>
Date: Fri, 26 Apr 2013 14:58:20 +0000 (+0000)
Subject: htdigest: Fix buffer overflow when reading digest
X-Git-Tag: 2.2.25~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10c3062f7d5b8acabc0c951b8d6c765961a64dff;p=thirdparty%2Fapache%2Fhttpd.git

htdigest: Fix buffer overflow when reading digest
password file with very long lines.

PR 54893.

Backport of r1475878 from trunk resp.
r1476089 from 2.4.x.

Proposed/Backported by: rjung
Reviewed by: humbedooh, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1476242 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 0eaca3a73c7..910d9cd2d61 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.25
 
+  *) htdigest: Fix buffer overflow when reading digest password file
+     with very long lines. PR 54893. [Rainer Jung]
 
 
 Changes with Apache 2.2.24
diff --git a/STATUS b/STATUS
index 826a3617777..a3d81e00c79 100644
--- a/STATUS
+++ b/STATUS
@@ -109,12 +109,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     2.2.x patch: http://people.apache.org/~wrowe/httpd-2.2-quiet-fips.patch
     +1: wrowe, druggeri, kbrand
 
-  * htdigest: Fix buffer overflow when reading digest
-    password file with very long lines. PR 54893.
-    trunk patch: https://svn.apache.org/r1475878
-    2.4.x patch: https://svn.apache.org/r1476089.
-    2.2.x patch: trunk and 2.4.x patch work
-    +1: rjung, humbedooh, rpluem
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/support/htdigest.c b/support/htdigest.c
index 6a0e26f123f..2fbdb4de215 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -96,12 +96,15 @@ static int get_line(char *s, int n, apr_file_t *f)
     char ch;
     apr_status_t rv = APR_EINVAL;
 
-    while (i < (n - 1) &&
+    /* we need 2 remaining bytes in buffer */
+    while (i < (n - 2) &&
            ((rv = apr_file_getc(&ch, f)) == APR_SUCCESS) && (ch != '\n')) {
         s[i++] = ch;
     }
+    /* First remaining byte potentially used here */
     if (ch == '\n')
         s[i++] = ch;
+    /* Second remaining byte used here */
     s[i] = '\0';
 
     if (rv != APR_SUCCESS)