Oh, don't you love buffer overflows?

We need to allocate storage space for the terminating NULL AND the extra /
we may tack on to the string at some point.

How in the hell the stars were aligned for this to corrupt newv via the
strcat at line 580 is unknown.

Resolves segfault seen on daedalus.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91607 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/request.c b/server/request.c
index 8d0c7abd3f3be26d1be2a89196b7f6d585de5438..d1e57aaec596d1b9f8d56af7abc4b106b0051c4a 100644 (file)
--- a/server/request.c
+++ b/server/request.c
@@ -554,7 +554,8 @@ AP_DECLARE(int) ap_directory_walk(request_rec *r)
         rv = apr_filepath_root((const char **)&r->filename,
                                (const char **)&r->path_info,
                                APR_FILEPATH_TRUENAME, r->pool);
-        buflen = strlen(r->filename) + strlen(r->path_info) + 1;
+        /* Space for terminating null and an extra / is required. */
+        buflen = strlen(r->filename) + strlen(r->path_info) + 2;
         buf = apr_palloc(r->pool, buflen);
         strcpy (buf, r->filename);
         r->filename = buf;