From 518de0f54f6f8c4543a7989870479a88db893672 Mon Sep 17 00:00:00 2001
From: Greg Ames <gregames@apache.org>
Date: Fri, 8 Mar 2002 20:24:07 +0000
Subject: [PATCH] ap_rgetline_core: fix a bug with folding observed while
 testing ebcdic. Garbage characters sometimes appeared after a legitimate
 folded header. We weren't allocating an extra byte for the trailing null, or
 copying it, when called from get_mime_headers (folding is in use, and
 ap_rgetline is responsible for allocating memory).  No need to worry about a
 trailing LF - it's already been nuked.

I checked the partial line code to see if it had a similar bug.  It looked
like it did, and that the code which trims the back end of the line would
run multiple times and whack innocent bytes.  However, gdb showed that this
section of code appears to be dead due to input filter chain changes.

also, removed an assignment to a dead variable.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93804 13f79535-47bb-0310-9956-ffa450edef68
---
 server/protocol.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/server/protocol.c b/server/protocol.c
index 081984c7a6..1fd6cdced7 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -329,6 +329,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
                 return rv;
             }
 
+            /* XXX this code appears to be dead because the filter chain
+             * seems to read until it sees a LF or an error.  If it ever
+             * comes back to life, we need to make sure that:
+             * - we really alloc enough space for the trailing null
+             * - we don't allow the tail trimming code to run more than
+             *   once
+             */
             if (do_alloc && next_len > 0) {
                 char *new_buffer;
                 apr_size_t new_size = bytes_handled + next_len;
@@ -464,13 +471,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
 
                 if (do_alloc && next_len > 0) {
                     char *new_buffer;
-                    apr_size_t new_size = bytes_handled + next_len;
-                    /* Again we need to alloc an extra two bytes for LF, null */
+                    apr_size_t new_size = bytes_handled + next_len + 1;
+                    /* we need to alloc an extra byte for a null */
                     new_buffer = apr_palloc(r->pool, new_size);
                     /* Copy what we already had. */
                     memcpy(new_buffer, *s, bytes_handled);
-                    memcpy(new_buffer + bytes_handled, tmp, next_len);
-                    current_alloc = new_size;
+                    /* copy the new line, including the trailing null */
+                    memcpy(new_buffer + bytes_handled, tmp, next_len + 1);
                     *s = new_buffer;
                 }
 
-- 
2.40.0