Joe Orton wrote: > Hi Jim, > > On Thu, Jul 05, 2012 at 01:49:25PM +0200, Jim Meyering wrote: >> This is my first httpd patch/report. >> If you'd prefer that it go to a BZ or a different list, just let me know. > > This is fine! > >> I found this by inspection: it appears that line[-1] (the heap) can be >> corrupted. Is it possible for len to be 0 at that point? It looks like >> it, since the preceding block guards against the len == 0 case. >> However, I have not tried to trigger the flaw. > > Interesting. Are you using static analysis tools to find these?
No. In this case I used grep with visual inspection. > I'm not sure it would be possible for apr_brigade_split_line() to find a > zero-length string without error, but certainly the code is wrong. ... > See docs/log-message-tags/ for reference here, keeping the existing > number is correct. Thanks for the patch, committed: > > http://svn.apache.org/viewvc?view=revision&revision=1358061 Thanks!
