Context: Code review of a third-party Apache module related
coincidentally to chronic memory corruption problems found a blunder
in code ported from Apache 1.3 to Apache 2.0+APR. It assumed that
apr_pstrndup(), like ap_pstrndup(), always allocated n+1 bytes from
the pool (i.e., it actually
On Tue, Oct 31, 2006 at 07:25:48AM -0500, Jeff Trawick wrote:
Context: Code review of a third-party Apache module related
coincidentally to chronic memory corruption problems found a blunder
in code ported from Apache 1.3 to Apache 2.0+APR. It assumed that
apr_pstrndup(), like ap_pstrndup
() or at least change that to:
if (*(s + (n-1)) == '\0') {
n--;
}
There's no guarantee that strlen(s) is anywhere near n. It's valid
for a caller to do this, for example:
apr_pstrndup(p, foo, 65536);
--Brian
than to scan the whole string with memchr() or at least change that to:
if (*(s + (n-1)) == '\0') {
n--;
}
There's no guarantee that strlen(s) is anywhere near n. It's valid
for a caller to do this, for example:
apr_pstrndup(p, foo, 65536);
It looks to me