Fixes for three problems in mod_include:

  * The ctx->tag_length computation in find_end_sequence() was a bit
    broken in cases where there was a "false alarm" match on a partial
    "-->"
  * The ap_ssi_get_tag_and_value() function needs to avoid walking off
    the end of the string.  After debugging this some more, I ended up
    using Cliff's original patch.
  * Infinite loop in is_only_below()

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94284 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 548c460a39841b25bdf998200695fe67aa1ffffa..54669195e6d5138815c8fa79976e398878e572f3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,7 @@
 Changes with Apache 2.0.35
 
+  *) Fix some mod_include segfaults [Cliff Woolley, Brian Pane, Brad Nicholes]
+
   *) Update the Redhat Layout to match Redhat version 7. PR BZ-7422
      [Joe Orton] 
 

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 778e7db33fcd2eed7b8202c0b1d5b35256b9ccf3..992f3ac61b31f44b6ff071f401dc4372c1d7313a 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -652,10 +652,10 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              ctx->state = PARSE_TAIL;
                              ctx->tail_start_bucket = dptr;
                              ctx->tail_start_index = c - buf;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 1;
                          }
                          else {
+                             ctx->tag_length++;
                              if (ctx->tag_length > ctx->directive_length) {
                                  ctx->state = PARSE_TAG;
                              }
@@ -665,7 +665,6 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              }
                              ctx->tail_start_bucket = NULL;
                              ctx->tail_start_index = 0;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 0;
                          }
                     }
@@ -867,6 +866,10 @@ static void ap_ssi_get_tag_and_value(include_ctx_t *ctx, char **tag,
     char  term = '\0';
 
     *tag_val = NULL;
+    if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
+        *tag = NULL;
+        return;
+    }
     SKIP_TAG_WHITESPACE(c);
     *tag = c;             /* First non-whitespace character (could be NULL). */
 
@@ -1179,8 +1182,12 @@ static int is_only_below(const char *path)
             return 0;
 #endif
         path += dots;
-        while (*path && *(path+1) != '/')
+        while (*path && (*path != '/')) {
+            ++path;
+        }
+        if (*path == '/') {
             ++path;
+        }
     }
     return 1;
 }