ap_rgetline_core: fix a bug with folding observed while testing ebcdic.

Garbage characters sometimes appeared after a legitimate folded header.
We weren't allocating an extra byte for the trailing null, or copying it,
when called from get_mime_headers (folding is in use, and ap_rgetline is
responsible for allocating memory).  No need to worry about a trailing
LF - it's already been nuked.

I checked the partial line code to see if it had a similar bug.  It looked
like it did, and that the code which trims the back end of the line would
run multiple times and whack innocent bytes.  However, gdb showed that this
section of code appears to be dead due to input filter chain changes.

also, removed an assignment to a dead variable.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93804 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/protocol.c b/server/protocol.c
index 081984c7a63c1bc17254b6ae82a04393afff5feb..1fd6cdced793e94e0d503b0ad9c4a0ce39ee3dab 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -329,6 +329,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
                 return rv;
             }
 
+            /* XXX this code appears to be dead because the filter chain
+             * seems to read until it sees a LF or an error.  If it ever
+             * comes back to life, we need to make sure that:
+             * - we really alloc enough space for the trailing null
+             * - we don't allow the tail trimming code to run more than
+             *   once
+             */
             if (do_alloc && next_len > 0) {
                 char *new_buffer;
                 apr_size_t new_size = bytes_handled + next_len;
@@ -464,13 +471,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
 
                 if (do_alloc && next_len > 0) {
                     char *new_buffer;
-                    apr_size_t new_size = bytes_handled + next_len;
-                    /* Again we need to alloc an extra two bytes for LF, null */
+                    apr_size_t new_size = bytes_handled + next_len + 1;
+                    /* we need to alloc an extra byte for a null */
                     new_buffer = apr_palloc(r->pool, new_size);
                     /* Copy what we already had. */
                     memcpy(new_buffer, *s, bytes_handled);
-                    memcpy(new_buffer + bytes_handled, tmp, next_len);
-                    current_alloc = new_size;
+                    /* copy the new line, including the trailing null */
+                    memcpy(new_buffer + bytes_handled, tmp, next_len + 1);
                     *s = new_buffer;
                 }