You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Alexei Kosut <ak...@nueva.pvt.k12.ca.us> on 1997/06/22 11:44:12 UTC

bug! in pregsub

Hmm. I just noticed that pregsub, a function in util.c that I wrote
a long time ago, has a bug in it that causes Apache to die (with that
cute "Ouch!  malloc failed" error). Surprising that no one noticed
until now... but nothing that comes with Apache except mod_rewrite
uses pregsub(), so I guess no one happened upon it.

The problem is that when it expands a variable, like $2, it checks to
make sure that there are actually two matched elements in the
regex. If not, it just skips the $2. It turns out it was one off, so
if there were only two matches, it would think $3 existed, and try to
put it into the substituted string. This is "undefined" according to
the POSIX regex spec. On my machine, using the HP-UX regex library, it
causes malloc errors. Perhaps on other OSes (or the Spencer package),
it still works.

At any rate, here's the patch. I guess this is for 1.2.1 as well as
1.3:

Index: util.c
===================================================================
RCS file: /export/home/cvs/apache/src/util.c,v
retrieving revision 1.53
diff -c -r1.53 util.c
*** util.c	1997/06/15 19:22:34	1.53
--- util.c	1997/06/22 09:39:17
***************
*** 232,238 ****
  	    if (c == '\\' && (*src == '$' || *src == '&'))
  		c = *src++;
  	    len++;
! 	} else if (no <= nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
  	    len += pmatch[no].rm_eo - pmatch[no].rm_so;
  	}
  
--- 232,238 ----
  	    if (c == '\\' && (*src == '$' || *src == '&'))
  		c = *src++;
  	    len++;
! 	} else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
  	    len += pmatch[no].rm_eo - pmatch[no].rm_so;
  	}
  
***************
*** 256,262 ****
  	    if (c == '\\' && (*src == '$' || *src == '&'))
  		c = *src++;
  	    *dst++ = c;
! 	} else if (no <= nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
  	    len = pmatch[no].rm_eo - pmatch[no].rm_so;
  	    strncpy(dst, source + pmatch[no].rm_so, len);
  	    dst += len;
--- 256,262 ----
  	    if (c == '\\' && (*src == '$' || *src == '&'))
  		c = *src++;
  	    *dst++ = c;
! 	} else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
  	    len = pmatch[no].rm_eo - pmatch[no].rm_so;
  	    strncpy(dst, source + pmatch[no].rm_so, len);
  	    dst += len;


-- 
________________________________________________________________________
Alexei Kosut <ak...@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/