> From: Sander Striker [mailto:[EMAIL PROTECTED]] > Sent: 12 March 2002 13:36
> Jeff, > > Does this resolve the issue you added the comment for? > > Sander > > Index: modules/mappers/mod_negotiation.c > =================================================================== > RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_negotiation.c,v > retrieving revision 1.96 > diff -u -r1.96 mod_negotiation.c > --- modules/mappers/mod_negotiation.c 12 Mar 2002 11:48:32 -0000 1.96 > +++ modules/mappers/mod_negotiation.c 12 Mar 2002 12:20:01 -0000 > @@ -794,8 +794,12 @@ > { > char *endbody; > int bodylen; > + int taglen; > apr_off_t pos; > > + taglen = strlen(tag); > + *len -= taglen; > + > /* We are at the first character following a body:tag\n entry > * Suck in the body, then backspace to the first char after the > * closing tag entry. If we fail to read, find the tag or back > @@ -803,13 +807,11 @@ > */ > if (apr_file_read(map, buffer, len) != APR_SUCCESS) { > return -1; > - } > - /* XXX next line can go beyond allocated storage and segfault, > - * or worse yet go beyond data read but not beyond allocated > - * storage and think it found the tag > - */ > + } > + > + strncpy(buffer + *len, tag, taglen); > endbody = strstr(buffer, tag); > - if (!endbody) { > + if (!endbody || endbody == buffer + *len) { Ahum, just: if (endbody == buffer + *len) { would do the trick. ;) > return -1; > } > bodylen = endbody - buffer; Sander