From: Brian Pane <brianp@apache.org>
Date: Fri, 29 Mar 2002 02:14:45 +0000 (+0000)
Subject: Fixes for three problems in mod_include:
X-Git-Tag: 2.0.34~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=440d5f0751bfa345cdefd6053511dfbee0926ee4;p=thirdparty%2Fapache%2Fhttpd.git

Fixes for three problems in mod_include:
  * The ctx->tag_length computation in find_end_sequence() was a bit
    broken in cases where there was a "false alarm" match on a partial
    "-->"
  * The ap_ssi_get_tag_and_value() function needs to avoid walking off
    the end of the string.  After debugging this some more, I ended up
    using Cliff's original patch.
  * Infinite loop in is_only_below()


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94284 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 548c460a398..54669195e6d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,7 @@
 Changes with Apache 2.0.35
 
+  *) Fix some mod_include segfaults [Cliff Woolley, Brian Pane, Brad Nicholes]
+
   *) Update the Redhat Layout to match Redhat version 7. PR BZ-7422
      [Joe Orton] 
 
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 778e7db33fc..992f3ac61b3 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -652,10 +652,10 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              ctx->state = PARSE_TAIL;
                              ctx->tail_start_bucket = dptr;
                              ctx->tail_start_index = c - buf;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 1;
                          }
                          else {
+                             ctx->tag_length++;
                              if (ctx->tag_length > ctx->directive_length) {
                                  ctx->state = PARSE_TAG;
                              }
@@ -665,7 +665,6 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              }
                              ctx->tail_start_bucket = NULL;
                              ctx->tail_start_index = 0;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 0;
                          }
                     }
@@ -867,6 +866,10 @@ static void ap_ssi_get_tag_and_value(include_ctx_t *ctx, char **tag,
     char  term = '\0';
 
     *tag_val = NULL;
+    if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
+        *tag = NULL;
+        return;
+    }
     SKIP_TAG_WHITESPACE(c);
     *tag = c;             /* First non-whitespace character (could be NULL). */
 
@@ -1179,8 +1182,12 @@ static int is_only_below(const char *path)
             return 0;
 #endif
         path += dots;
-        while (*path && *(path+1) != '/')
+        while (*path && (*path != '/')) {
+            ++path;
+        }
+        if (*path == '/') {
             ++path;
+        }
     }
     return 1;
 }