From 02780d57bd9287c472c9ce5c25c6e46d04d67ea6 Mon Sep 17 00:00:00 2001
From: Ben Reser <breser@apache.org>
Date: Wed, 8 Jan 2014 02:40:38 +0000
Subject: [PATCH] SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track
 of length of cdata properly when removing leading spaces.

* modules/dav/main/util.c
  (dav_xml_get_cdata): reduce len variable when increasing cdata pointer.

Submitted by: Amin Tora <Amin.Tora neustar.biz>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1556428 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/dav/main/util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 1f393401b2..4e85a04f06 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -396,8 +396,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t
 
     if (strip_white) {
         /* trim leading whitespace */
-        while (apr_isspace(*cdata))     /* assume: return false for '\0' */
+        while (apr_isspace(*cdata)) {     /* assume: return false for '\0' */
             ++cdata;
+            --len;
+        }
 
         /* trim trailing whitespace */
         while (len-- > 0 && apr_isspace(cdata[len]))
-- 
2.40.0