* Fix a off-by-one error in parse_format_tag in the case that the last character

  of the string to which *sa points is a %. In this case the while loop in
  parse_format_string would call parse_format_tag with a pointer to a memory
  region that starts one byte after the string to which s in parse_format_string
  points to.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@499567 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c
index c7b2fc5d348c1619cdc6093e2b3b20b162a15049..e139b5db9f31021603a67f3952cd33165e584759 100644 (file)
--- a/modules/metadata/mod_headers.c
+++ b/modules/metadata/mod_headers.c
@@ -309,7 +309,9 @@ static char *parse_format_tag(apr_pool_t *p, format_tag *tag, const char **sa)
     if ((*s == '%') || (*s == '\0')) {
         tag->func = constant_item;
         tag->arg = "%";
-        *sa = ++s;
+        if (*s)
+            s++;
+        *sa = s;
         return NULL;
     }