From: Graham Leggett <minfrin@apache.org>
Date: Wed, 13 Oct 2004 16:51:38 +0000 (+0000)
Subject: mod_rewrite: Fix 0 bytes write into random memory position.
X-Git-Tag: 2.0.53~224
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=557dde5d156e996428a96c5f36868371f65581d3;p=thirdparty%2Fapache%2Fhttpd.git

mod_rewrite: Fix 0 bytes write into random memory position.
PR:	31036
Obtained from:
Submitted by:	nd
Reviewed by:	nd, trawick, jerenkrantz, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105431 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8e5daa2462f..2527b20a348 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.53
 
+  *) mod_rewrite: Fix 0 bytes write into random memory position.
+     PR 31036. [André Malo]
+
   *) mod_disk_cache: Do not store aborted content.  PR 21492.
      [RÃ¼iger PlÃ¼ <r.pluem t-online.de>]
 
diff --git a/STATUS b/STATUS
index 4a72fa79ee7..5105fb088ea 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/10/13 16:40:54 $]
+Last modified at [$Date: 2004/10/13 16:51:37 $]
 
 Release:
 
@@ -129,7 +129,6 @@ PATCHES TO BACKPORT FROM 2.1
     *) mod_rewrite: Fix 0 bytes write into random memory position. PR 31036.
        (2.0 + 1.3)
          http://www.apache.org/~nd/dbmmap_1.3.patch
-         http://www.apache.org/~nd/dbmmap_2.0.patch
        +1: nd, trawick, jerenkrantz, jim
 
     *) mod_rewrite:Fix query string handling for proxied URLs. PR 14518.
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 290483710af..23770b48fbe 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -3200,25 +3200,25 @@ static char *lookup_map_dbmfile(request_rec *r, const char *file,
     apr_dbm_t *dbmfp = NULL;
     apr_datum_t dbmkey;
     apr_datum_t dbmval;
-    char *value = NULL;
-    char buf[MAX_STRING_LEN];
-    apr_status_t rv;
+    char *value;
+
+    if (apr_dbm_open_ex(&dbmfp, dbmtype, file, APR_DBM_READONLY, APR_OS_DEFAULT, 
+                        r->pool) != APR_SUCCESS) {
+        return NULL;
+    }
 
     dbmkey.dptr  = key;
     dbmkey.dsize = strlen(key);
-    if ((rv = apr_dbm_open_ex(&dbmfp, dbmtype, file, APR_DBM_READONLY,
-                              0 /* irrelevant when reading */,
-                              r->pool)) == APR_SUCCESS) {
-        rv = apr_dbm_fetch(dbmfp, dbmkey, &dbmval);
-        if (rv == APR_SUCCESS && dbmval.dptr) {
-            memcpy(buf, dbmval.dptr,
-                   dbmval.dsize < sizeof(buf)-1 ?
-                   dbmval.dsize : sizeof(buf)-1  );
-            buf[dbmval.dsize] = '\0';
-            value = apr_pstrdup(r->pool, buf);
-        }
-        apr_dbm_close(dbmfp);
+
+    if (apr_dbm_fetch(dbmfp, dbmkey, &dbmval) == APR_SUCCESS && dbmval.dptr) {
+        value = apr_pstrmemdup(r->pool, dbmval.dptr, dbmval.dsize);
+    }
+    else {
+        value = NULL;
     }
+
+    apr_dbm_close(dbmfp);
+
     return value;
 }