You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/06/22 18:09:09 UTC
Re: bug! in pregsub
+1
> Hmm. I just noticed that pregsub, a function in util.c that I wrote
> a long time ago, has a bug in it that causes Apache to die (with that
> cute "Ouch! malloc failed" error). Surprising that no one noticed
> until now... but nothing that comes with Apache except mod_rewrite
> uses pregsub(), so I guess no one happened upon it.
>
> The problem is that when it expands a variable, like $2, it checks to
> make sure that there are actually two matched elements in the
> regex. If not, it just skips the $2. It turns out it was one off, so
> if there were only two matches, it would think $3 existed, and try to
> put it into the substituted string. This is "undefined" according to
> the POSIX regex spec. On my machine, using the HP-UX regex library, it
> causes malloc errors. Perhaps on other OSes (or the Spencer package),
> it still works.
>
> At any rate, here's the patch. I guess this is for 1.2.1 as well as
> 1.3:
>
> Index: util.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/util.c,v
> retrieving revision 1.53
> diff -c -r1.53 util.c
> *** util.c 1997/06/15 19:22:34 1.53
> --- util.c 1997/06/22 09:39:17
> ***************
> *** 232,238 ****
> if (c == '\\' && (*src == '$' || *src == '&'))
> c = *src++;
> len++;
> ! } else if (no <= nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
> len += pmatch[no].rm_eo - pmatch[no].rm_so;
> }
>
> --- 232,238 ----
> if (c == '\\' && (*src == '$' || *src == '&'))
> c = *src++;
> len++;
> ! } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
> len += pmatch[no].rm_eo - pmatch[no].rm_so;
> }
>
> ***************
> *** 256,262 ****
> if (c == '\\' && (*src == '$' || *src == '&'))
> c = *src++;
> *dst++ = c;
> ! } else if (no <= nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
> len = pmatch[no].rm_eo - pmatch[no].rm_so;
> strncpy(dst, source + pmatch[no].rm_so, len);
> dst += len;
> --- 256,262 ----
> if (c == '\\' && (*src == '$' || *src == '&'))
> c = *src++;
> *dst++ = c;
> ! } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
> len = pmatch[no].rm_eo - pmatch[no].rm_so;
> strncpy(dst, source + pmatch[no].rm_so, len);
> dst += len;
>
>
> --
> ________________________________________________________________________
> Alexei Kosut <ak...@nueva.pvt.k12.ca.us> The Apache HTTP Server
> URL: http://www.nueva.pvt.k12.ca.us/~akosut/ http://www.apache.org/