ATTN Jim, I presume you didn't read the note below?
On Thu, Jun 16, 2016 at 6:59 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > This looks inverted. The buffer should be MAX+1. > > This logic error leads to paths valid in one context, which fail later in > the next bit of code. > On Jun 16, 2016 12:17 AM, <jaillet...@apache.org> wrote: > >> Author: jailletc36 >> Date: Thu Jun 16 05:17:35 2016 >> New Revision: 1748653 >> >> URL: http://svn.apache.org/viewvc?rev=1748653&view=rev >> Log: >> Fix a potential buffer overflow. >> >> Modified: >> httpd/httpd/trunk/modules/filters/sed0.c >> >> Modified: httpd/httpd/trunk/modules/filters/sed0.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/sed0.c?rev=1748653&r1=1748652&r2=1748653&view=diff >> >> ============================================================================== >> --- httpd/httpd/trunk/modules/filters/sed0.c (original) >> +++ httpd/httpd/trunk/modules/filters/sed0.c Thu Jun 16 05:17:35 2016 >> @@ -588,7 +588,7 @@ jtcommon: >> command_errf(commands, SEDERR_SMMES, >> commands->linebuf); >> return -1; >> } >> - if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX]) == >> NULL) { >> + if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1]) >> == NULL) { >> command_errf(commands, SEDERR_FNTL, >> commands->linebuf); >> return -1; >> } >> @@ -617,7 +617,7 @@ jtcommon: >> command_errf(commands, SEDERR_SMMES, commands->linebuf); >> return -1; >> } >> - if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX]) == >> NULL) { >> + if (text(commands, fnamebuf, &fnamebuf[APR_PATH_MAX-1]) == >> NULL) { >> command_errf(commands, SEDERR_FNTL, commands->linebuf); >> return -1; >> } >> >> >>
