You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Alan Steremberg <al...@cs.stanford.edu> on 1997/02/15 10:10:01 UTC
general/175: find_path_info in util_script.c has a bug if strings are the same
The contract type is `' with a response time of 3 business hours.
A first analysis should be sent before: Mon Feb 17 11:00:00 PST 1997
>Number: 175
>Category: general
>Synopsis: find_path_info in util_script.c has a bug if strings are the same
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Feb 15 01:10:00 1997
>Originator: alans@cs.stanford.edu
>Organization:
apache
>Release: 1.2.b6
>Environment:
Solaris gcc
>Description:
the function find_path_info in util_script.c runs off the beginning of a string
if the two arguments are the same path.
static int find_path_info (char *uri, char *path_info)
{
int lu = strlen(uri);
int lp = strlen(path_info);
while (lu-- && lp-- && uri[lu] == path_info[lp]);
--- NOTE ---
if the strings are the same, then lu goes to zero, and falls out but it still
gets post decremented to -1.
Therefore we can add a fix like this:
if (lu==-1) lu=0;
--- otherwise we will try to access uri[-1] which is a really bad thing to do! --
while (uri[lu] != '\0' && uri[lu] != '/')
lu++;
return lu;
}
If you have any questions, please drop me a note: alans@cs.stanford.edu
Thanks!
Alan
>How-To-Repeat:
>Fix:
Fixed code:
static int find_path_info (char *uri, char *path_info)
{
int lu = strlen(uri);
int lp = strlen(path_info);
while (lu-- && lp-- && uri[lu] == path_info[lp]);
if (lu==-1) lu=0;
while (uri[lu] != '\0' && uri[lu] != '/')
lu++;
return lu;
}
%0
>Audit-Trail:
>Unformatted: