File httpd-2.4.9-bnc690734.patch of Package apache2.21779
Index: server/util_script.c
===================================================================
--- server/util_script.c.orig
+++ server/util_script.c
@@ -448,11 +448,20 @@ AP_DECLARE(int) ap_scan_script_header_er
apr_table_t *cookie_table;
int trace_log = APLOG_R_MODULE_IS_LEVEL(r, module_index, APLOG_TRACE1);
int first_header = 1;
+ int wlen;
if (buffer) {
*buffer = '\0';
}
- w = buffer ? buffer : x;
+
+ if (r->server->limit_req_fieldsize + 2 > MAX_STRING_LEN) {
+ w = apr_palloc(r->pool, r->server->limit_req_fieldsize + 2);
+ wlen = r->server->limit_req_fieldsize + 2;
+ } else {
+ w = buffer ? buffer : x;
+ wlen = MAX_STRING_LEN;
+ }
+
/* temporary place to hold headers to merge in later */
merge = apr_table_make(r->pool, 10);
@@ -468,7 +477,7 @@ AP_DECLARE(int) ap_scan_script_header_er
while (1) {
- int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
+ int rv = (*getsfunc) (w, wlen - 1, getsfunc_data);
if (rv == 0) {
const char *msg = "Premature end of script headers";
if (first_header)
@@ -583,10 +592,13 @@ AP_DECLARE(int) ap_scan_script_header_er
if (!(l = strchr(w, ':'))) {
if (!buffer) {
/* Soak up all the script output - may save an outright kill */
- while ((*getsfunc)(w, MAX_STRING_LEN - 1, getsfunc_data) > 0) {
+ while ((*getsfunc) (w, wlen - 1, getsfunc_data)) {
continue;
}
- }
+ } else if (w != buffer) {
+ strncpy(buffer, w, MAX_STRING_LEN - 1);
+ buffer[MAX_STRING_LEN - 1] = 0;
+ }
/* Intentional no APLOGNO */
ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,