From 40d1a65be5a7f29bafeebe95b64d0fd0e068aa79 Mon Sep 17 00:00:00 2001
From: Sander Striker <striker@apache.org>
Date: Tue, 12 Mar 2002 13:30:24 +0000
Subject: [PATCH] Resolve the issue Jeff pointed out in his recently added
 comment.  That is, prevent a possible segfault or finding a tag in reused
 memory.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93854 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/mappers/mod_negotiation.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
index 376e01183e..abf93fd081 100644
--- a/modules/mappers/mod_negotiation.c
+++ b/modules/mappers/mod_negotiation.c
@@ -794,8 +794,12 @@ static apr_off_t get_body(char *buffer, apr_size_t *len, const char *tag,
 {
     char *endbody;
     int bodylen;
+    int taglen;
     apr_off_t pos;
 
+    taglen = strlen(tag);
+    *len -= taglen;
+
     /* We are at the first character following a body:tag\n entry 
      * Suck in the body, then backspace to the first char after the 
      * closing tag entry.  If we fail to read, find the tag or back
@@ -803,13 +807,11 @@ static apr_off_t get_body(char *buffer, apr_size_t *len, const char *tag,
      */
     if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
         return -1;
-    }      
-    /* XXX next line can go beyond allocated storage and segfault,
-     *     or worse yet go beyond data read but not beyond allocated
-     *     storage and think it found the tag
-     */
+    }
+
+    strncpy(buffer + *len, tag, taglen);
     endbody = strstr(buffer, tag);
-    if (!endbody) {
+    if (endbody == buffer + *len) {
         return -1;
     }
     bodylen = endbody - buffer;
-- 
2.40.0