Brian Pane wrote:
> Cliff Woolley wrote:
>
>> On Wed, 27 Mar 2002, Brian Pane wrote:
>>
>>>> + if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
>>>> + *tag = NULL;
>>>> + return;
>>>> + }
>>>>
>>> My only objection to this is that ctx->curr_tag_pos is supposed
>>> to point to a null-terminated copy of the directive, and all the
>>> subsequent looping logic in ap_ssi_tag_and_value() depends on
>>> that. Are we hitting a case where this string isn't null-terminated
>>> (meaning that the root cause of the problem is somewhere else)?
>>>
>>
>> Yes. There are at least these two lines:
>>
>> *(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with
>> NULL. */
>> ctx->curr_tag_pos = ++c;
>>
>
> That second one definitely looks bad. I've just committed a fix for it.
> I think the first one (the "*(c-shift_val)...") is safe, as long as
> ctx->curr_tag_pos points somewhere within a null-terminated string upon
> entry into the function.
Never mind--my fix broke some other things. I'll continue
looking at this...
--Brian
