From 296c6242a9d2ef527431037830993450e218fa7e Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Tue, 8 Nov 2011 19:41:05 +0000
Subject: [PATCH] Fix up some length limit calculation

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1199410 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/filters/mod_substitute.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index a6004474e0..3fd0ad0692 100644
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -246,15 +246,19 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                         }
                         else {
                             apr_size_t repl_len;
+                            /* acount for string before the match */
+                            if (space_left <= regm[0].rm_so)
+                                return APR_ENOMEM;
+                            space_left -= regm[0].rm_so;
                             rv = ap_pregsub_ex(pool, &repl,
                                                script->replacement, pos,
                                                AP_MAX_REG_MATCH, regm,
                                                space_left);
                             if (rv != APR_SUCCESS)
                                 return rv;
-                            len = (apr_size_t) (regm[0].rm_eo - regm[0].rm_so);
                             repl_len = strlen(repl);
-                            space_left -= len + repl_len;
+                            space_left -= repl_len;
+                            len = (apr_size_t) (regm[0].rm_eo - regm[0].rm_so);
                             SEDRMPATBCKT(b, regm[0].rm_so, tmp_b, len);
                             tmp_b = apr_bucket_transient_create(repl, repl_len,
                                                 f->r->connection->bucket_alloc);
-- 
2.40.0