From 32b09230b16e4f0b38563583305187a2883b11e6 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Wed, 16 Sep 2015 13:34:30 +0000
Subject: [PATCH] Merge r1700851 from trunk:

mod_negotiation: simplify type-map body tag lookup, and be safe
should it contain a NUL byte.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1703406 13f79535-47bb-0310-9956-ffa450edef68
---
 STATUS                            |  8 --------
 modules/mappers/mod_negotiation.c | 18 ++++++------------
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/STATUS b/STATUS
index 12ef90c800..07b1ecf752 100644
--- a/STATUS
+++ b/STATUS
@@ -109,14 +109,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) Easy patches - synch with trunk
-     mod_negotiation: simplify type-map body tag lookup, and be safe
-                      should it contain a NUL byte.
-     trunk: http://svn.apache.org/r1700851
-     2.4.x: trunk works
-     +1: jailletc36, ylavic, jim
-
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 2ef3838708..77f27cc6bd 100644
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -828,33 +828,27 @@ static apr_off_t get_body(char *buffer, apr_size_t *len, const char *tag,
                           apr_file_t *map)
 {
     char *endbody;
-    int bodylen;
-    int taglen;
+    apr_size_t bodylen;
     apr_off_t pos;
 
-    taglen = strlen(tag);
-    *len -= taglen;
 
     /* We are at the first character following a body:tag\n entry
      * Suck in the body, then backspace to the first char after the
      * closing tag entry.  If we fail to read, find the tag or back
      * up then we have a hosed file, so give up already
      */
+    --*len; /* Reserve space for '\0' */
     if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
         return -1;
     }
+    buffer[*len] = '\0';
 
-    /* put a copy of the tag *after* the data read from the file
-     * so that strstr() will find something with no reliance on
-     * terminating '\0'
-     */
-    memcpy(buffer + *len, tag, taglen);
-    endbody = strstr(buffer, tag);
-    if (endbody == buffer + *len) {
+    endbody = ap_strstr(buffer, tag);
+    if (!endbody) {
         return -1;
     }
     bodylen = endbody - buffer;
-    endbody += taglen;
+    endbody += strlen(tag);
     /* Skip all the trailing cruft after the end tag to the next line */
     while (*endbody) {
         if (*endbody == '\n') {
-- 
2.40.0