From b347617813fe9abc8ac59c0475b98f8b590574fe Mon Sep 17 00:00:00 2001
From: Brian Pane <brianp@apache.org>
Date: Fri, 29 Mar 2002 02:14:45 +0000
Subject: [PATCH] Fixes for three problems in mod_include:   * The
 ctx->tag_length computation in find_end_sequence() was a bit     broken in
 cases where there was a "false alarm" match on a partial     "-->"   * The
 ap_ssi_get_tag_and_value() function needs to avoid walking off     the end of
 the string.  After debugging this some more, I ended up     using Cliff's
 original patch.   * Infinite loop in is_only_below()

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94284 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       |  2 ++
 modules/filters/mod_include.c | 13 ++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 548c460a39..54669195e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,7 @@
 Changes with Apache 2.0.35
 
+  *) Fix some mod_include segfaults [Cliff Woolley, Brian Pane, Brad Nicholes]
+
   *) Update the Redhat Layout to match Redhat version 7. PR BZ-7422
      [Joe Orton] 
 
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 778e7db33f..992f3ac61b 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -652,10 +652,10 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              ctx->state = PARSE_TAIL;
                              ctx->tail_start_bucket = dptr;
                              ctx->tail_start_index = c - buf;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 1;
                          }
                          else {
+                             ctx->tag_length++;
                              if (ctx->tag_length > ctx->directive_length) {
                                  ctx->state = PARSE_TAG;
                              }
@@ -665,7 +665,6 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                              }
                              ctx->tail_start_bucket = NULL;
                              ctx->tail_start_index = 0;
-                             ctx->tag_length += ctx->parse_pos;
                              ctx->parse_pos = 0;
                          }
                     }
@@ -867,6 +866,10 @@ static void ap_ssi_get_tag_and_value(include_ctx_t *ctx, char **tag,
     char  term = '\0';
 
     *tag_val = NULL;
+    if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
+        *tag = NULL;
+        return;
+    }
     SKIP_TAG_WHITESPACE(c);
     *tag = c;             /* First non-whitespace character (could be NULL). */
 
@@ -1179,8 +1182,12 @@ static int is_only_below(const char *path)
             return 0;
 #endif
         path += dots;
-        while (*path && *(path+1) != '/')
+        while (*path && (*path != '/')) {
+            ++path;
+        }
+        if (*path == '/') {
             ++path;
+        }
     }
     return 1;
 }
-- 
2.40.0