Cliff Woolley wrote:
>On Wed, 27 Mar 2002, Brian Pane wrote:
>
>>>+ if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
>>>+ *tag = NULL;
>>>+ return;
>>>+ }
>>>
>>My only objection to this is that ctx->curr_tag_pos is supposed
>>to point to a null-terminated copy of the directive, and all the
>>subsequent looping logic in ap_ssi_tag_and_value() depends on
>>that. Are we hitting a case where this string isn't null-terminated
>>(meaning that the root cause of the problem is somewhere else)?
>>
>
>Yes. There are at least these two lines:
>
> *(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with NULL. */
> ctx->curr_tag_pos = ++c;
>
That second one definitely looks bad. I've just committed a fix for it.
I think the first one (the "*(c-shift_val)...") is safe, as long as
ctx->curr_tag_pos points somewhere within a null-terminated string upon
entry into the function.
--Brian
