This looks inverted. The buffer should be MAX+1. This logic error leads to paths valid in one context, which fail later in the next bit of code. On Jun 16, 2016 12:17 AM, <jaillet...@apache.org> wrote:
> Author: jailletc36 > Date: Thu Jun 16 05:17:35 2016 > New Revision: 1748653 > > URL: http://svn.apache.org/viewvc?rev=1748653&view=rev > Log: > Fix a potential buffer overflow. > > Modified: > httpd/httpd/trunk/modules/filters/sed0.c > > Modified: httpd/httpd/trunk/modules/filters/sed0.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/sed0.c?rev=1748653&r1=1748652&r2=1748653&view=diff > > ============================================================================== > --- httpd/httpd/trunk/modules/filters/sed0.c (original) > +++ httpd/httpd/trunk/modules/filters/sed0.c Thu Jun 16 05:17:35 2016 > @@ -588,7 +588,7 @@ jtcommon: > command_errf(commands, SEDERR_SMMES, > commands->linebuf); > return -1; > } > - if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX]) == > NULL) { > + if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1]) > == NULL) { > command_errf(commands, SEDERR_FNTL, > commands->linebuf); > return -1; > } > @@ -617,7 +617,7 @@ jtcommon: > command_errf(commands, SEDERR_SMMES, commands->linebuf); > return -1; > } > - if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX]) == > NULL) { > + if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1]) == > NULL) { > command_errf(commands, SEDERR_FNTL, commands->linebuf); > return -1; > } > > >
