Resolve the issue Jeff pointed out in his recently added comment. That

is, prevent a possible segfault or finding a tag in reused memory.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93854 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 376e01183e27c3d370e30b58e7ba00a163302e85..abf93fd081646233ee9c305c8e7a92cbf281d299 100644 (file)
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -794,8 +794,12 @@ static apr_off_t get_body(char *buffer, apr_size_t *len, const char *tag,
 {
     char *endbody;
     int bodylen;
+    int taglen;
     apr_off_t pos;
 
+    taglen = strlen(tag);
+    *len -= taglen;
+
     /* We are at the first character following a body:tag\n entry 
      * Suck in the body, then backspace to the first char after the 
      * closing tag entry.  If we fail to read, find the tag or back
@@ -803,13 +807,11 @@ static apr_off_t get_body(char *buffer, apr_size_t *len, const char *tag,
      */
     if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
         return -1;
-    }      
-    /* XXX next line can go beyond allocated storage and segfault,
-     *     or worse yet go beyond data read but not beyond allocated
-     *     storage and think it found the tag
-     */
+    }
+
+    strncpy(buffer + *len, tag, taglen);
     endbody = strstr(buffer, tag);
-    if (!endbody) {
+    if (endbody == buffer + *len) {
         return -1;
     }
     bodylen = endbody - buffer;