From: Vincent Deffontaines <gryzor@apache.org>
Date: Fri, 10 Apr 2026 13:35:48 +0000 (+0000)
Subject: heap buffer over-read in ms_wdv.c (reported both by San Zhang and Merih Mengisteab)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fapache%2Fhttpd.git

heap buffer over-read in ms_wdv.c (reported both by San Zhang and Merih Mengisteab)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1932965 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/dav/main/ms_wdv.c b/modules/dav/main/ms_wdv.c
index 4e748683d6..cd9bb10cf5 100644
--- a/modules/dav/main/ms_wdv.c
+++ b/modules/dav/main/ms_wdv.c
@@ -649,7 +649,7 @@ static dav_error *mswdv_combined_proppatch(request_rec *r)
      * need to copy the PROPPATCH data to perform subrequest in
      * dav_mswdv_postprocessing().
      */
-    proppatch_data = apr_palloc(r->pool, proppatch_len);
+    proppatch_data = apr_palloc(r->pool, proppatch_len + 1);
 
     len = proppatch_len;
     status = apr_brigade_flatten(bb, proppatch_data, &len);
@@ -657,6 +657,8 @@ static dav_error *mswdv_combined_proppatch(request_rec *r)
         return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, status,
                              "Error flattening PROPPATCH part");
 
+    proppatch_data[len] = '\0';
+
     apr_table_setn(r->notes, "dav_mswdv_proppatch_data", proppatch_data);
 
     apr_brigade_destroy(bb);