DW:

 - Fix possible memory access bug.  Before the change we would always
   copy 4096 bytes from 'headers' to 'buf'.  Not only was it wasteful,
   but it accessed uninitialized memory.

diff --git a/src/HttpReply.cc b/src/HttpReply.cc
index 89b2c30c009576e5ef043720df3d28ccc78a4788..a0e683d32258c4201f4968ac288a2fa71ba0ecad 100644 (file)
--- a/src/HttpReply.cc
+++ b/src/HttpReply.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: HttpReply.cc,v 1.40 2000/03/06 16:23:28 wessels Exp $
+ * $Id: HttpReply.cc,v 1.41 2000/04/16 21:59:45 wessels Exp $
  *
  * DEBUG: section 58    HTTP Reply (Response)
  * AUTHOR: Alex Rousskov
@@ -144,12 +144,12 @@ httpReplyParse(HttpReply * rep, const char *buf, ssize_t end)
      */
     char *headers = memAllocate(MEM_4K_BUF);
     int success;
+    size_t s = XMIN(end + 1, 4096);
     /* reset current state, because we are not used in incremental fashion */
     httpReplyReset(rep);
-    /* put a string terminator */
-    xstrncpy(headers, buf, 4096);
-    if (end >= 0 && end < 4096)
-       *(headers + end) = '\0';
+    /* put a string terminator.  s is how many bytes to touch in
+     * 'buf' including the terminating NULL. */
+    xstrncpy(headers, buf, s);
     success = httpReplyParseStep(rep, headers, 0);
     memFree(headers, MEM_4K_BUF);
     return success == 1;