From e6a4c072419671c81e51360178f6d0693d1dcfa2 Mon Sep 17 00:00:00 2001
From: Rainer Jung <rjung@apache.org>
Date: Thu, 25 Apr 2013 18:02:48 +0000
Subject: [PATCH] htdigest: Fix buffer overflow when reading digest password
 file with very long lines.

PR 54893.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1475878 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES            | 3 +++
 support/htdigest.c | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index deca4432f0..802385cafe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) htdigest: Fix buffer overflow when reading digest password file
+     with very long lines. PR 54893. [Rainer Jung]
+
   *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
      together. PR 54881. [Ruediger Pluem]
 
diff --git a/support/htdigest.c b/support/htdigest.c
index a8b464aedd..f76036d7a5 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -96,12 +96,15 @@ static int get_line(char *s, int n, apr_file_t *f)
     char ch;
     apr_status_t rv = APR_EINVAL;
 
-    while (i < (n - 1) &&
+    /* we need 2 remaining bytes in buffer */
+    while (i < (n - 2) &&
            ((rv = apr_file_getc(&ch, f)) == APR_SUCCESS) && (ch != '\n')) {
         s[i++] = ch;
     }
+    /* First remaining byte potentially used here */
     if (ch == '\n')
         s[i++] = ch;
+    /* Second remaining byte used here */
     s[i] = '\0';
 
     if (rv != APR_SUCCESS)
-- 
2.40.0