From: Joe Orton <jorton@apache.org>
Date: Thu, 20 Jan 2005 09:38:40 +0000 (+0000)
Subject: * modules/filters/mod_include.c (ap_ssi_parse_string): Fix off-by-one
X-Git-Tag: 2.0.53~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=125b45cd973065e38751839d6a358595f5945fbe;p=thirdparty%2Fapache%2Fhttpd.git

* modules/filters/mod_include.c (ap_ssi_parse_string): Fix off-by-one
which would truncate variables of length N*64 by one byte.

PR: 32985
Reviewed by: jorton, trawick, stoddard


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@125747 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 085341083ee..f53888d39bc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.53
 
+  *) mod_include: Fix bug which could truncate variable expansions
+     of N*64 characters by one byte.  PR 32985.  [Joe Orton]
+
   *) Correct handling of certain bucket types in ap_save_brigade, fixing
      possible segfaults in mod_cgi with #include virtual.  PR 31247.
      [Joe Orton]
diff --git a/STATUS b/STATUS
index ce970b5fd57..c9dc58d27bf 100644
--- a/STATUS
+++ b/STATUS
@@ -75,12 +75,6 @@ PATCHES TO BACKPORT FROM 2.1
   [ please place file names and revisions from HEAD here, so it is easy to
     identify exactly what the proposed changes are! ]
 
-    *) mod_include: fix an off-by-one which truncates the last character
-       off an N*64 character variable expansion (in some cases).
-       http://issues.apache.org/bugzilla/attachment.cgi?id=14025
-       PR: 32985
-       +1: jorton, trawick, stoddard
-
     *) mod_ssl: fail quickly if SSL connection is aborted rather than
        making many doomed ap_pass_brigade calls
        http://svn.apache.org/viewcvs?view=rev&rev=125166
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 751f9086e3e..a9ad033136c 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -616,7 +616,7 @@ static char *ap_ssi_parse_string(request_rec *r, include_ctx_t *ctx,
                     char *new_out;
                     do {
                         new_out_size *= 2;
-                    } while (new_out_size < current_length + l);
+                    } while (new_out_size < current_length + l + 1); /* +1 for NUL */
                     if (new_out_size > length) {
                         new_out_size = length;
                     }