Brian Pane wrote: > Cliff Woolley wrote: > >> On Wed, 27 Mar 2002, Brian Pane wrote: >> >>>> + if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) { >>>> + *tag = NULL; >>>> + return; >>>> + } >>>> >>> My only objection to this is that ctx->curr_tag_pos is supposed >>> to point to a null-terminated copy of the directive, and all the >>> subsequent looping logic in ap_ssi_tag_and_value() depends on >>> that. Are we hitting a case where this string isn't null-terminated >>> (meaning that the root cause of the problem is somewhere else)? >>> >> >> Yes. There are at least these two lines: >> >> *(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with >> NULL. */ >> ctx->curr_tag_pos = ++c; >> > > That second one definitely looks bad. I've just committed a fix for it. > I think the first one (the "*(c-shift_val)...") is safe, as long as > ctx->curr_tag_pos points somewhere within a null-terminated string upon > entry into the function.
Never mind--my fix broke some other things. I'll continue looking at this... --Brian