Hi Jim, On Thu, Jul 05, 2012 at 01:49:25PM +0200, Jim Meyering wrote: > This is my first httpd patch/report. > If you'd prefer that it go to a BZ or a different list, just let me know.
This is fine! > I found this by inspection: it appears that line[-1] (the heap) can be > corrupted. Is it possible for len to be 0 at that point? It looks like > it, since the preceding block guards against the len == 0 case. > However, I have not tried to trigger the flaw. Interesting. Are you using static analysis tools to find these? I'm not sure it would be possible for apr_brigade_split_line() to find a zero-length string without error, but certainly the code is wrong. > A minor note: From the documentation of APLOGNO, it was not clear > whether I should change 01979, given that this patch changes its guard > condition in such a small way, so I left it. You may want to burn the > 01979 and simply use a new number. > > Also, I didn't know of a recommended method for finding a number > for the new diagnostic, so I did a quick and dirty: See docs/log-message-tags/ for reference here, keeping the existing number is correct. Thanks for the patch, committed: http://svn.apache.org/viewvc?view=revision&revision=1358061 Regards, Joe
