Jeff,
Does this resolve the issue you added the comment for?
Sander
Index: modules/mappers/mod_negotiation.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_negotiation.c,v
retrieving revision 1.96
diff -u -r1.96 mod_negotiation.c
--- modules/mappers/mod_negotiation.c 12 Mar 2002 11:48:32 -0000 1.96
+++ modules/mappers/mod_negotiation.c 12 Mar 2002 12:20:01 -0000
@@ -794,8 +794,12 @@
{
char *endbody;
int bodylen;
+ int taglen;
apr_off_t pos;
+ taglen = strlen(tag);
+ *len -= taglen;
+
/* We are at the first character following a body:tag\n entry
* Suck in the body, then backspace to the first char after the
* closing tag entry. If we fail to read, find the tag or back
@@ -803,13 +807,11 @@
*/
if (apr_file_read(map, buffer, len) != APR_SUCCESS) {
return -1;
- }
- /* XXX next line can go beyond allocated storage and segfault,
- * or worse yet go beyond data read but not beyond allocated
- * storage and think it found the tag
- */
+ }
+
+ strncpy(buffer + *len, tag, taglen);
endbody = strstr(buffer, tag);
- if (!endbody) {
+ if (!endbody || endbody == buffer + *len) {
return -1;
}
bodylen = endbody - buffer;
