[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: svn commit: r490156 -
From:       Nick Kew <nick () webthing ! com>
Date:       2007-01-23 23:48:01
Message-ID: 20070123234801.14d4ca3c () grimnir
[Download RAW message or body]

On Tue, 23 Jan 2007 22:06:46 +0100
Ruediger Pluem <rpluem@apache.org> wrote:


> > -    /* Pass through %% as % */
> > -    if (*s == '%') {
> > +    /* Pass through %% or % at end of string as % */
> > +    if ((*s == '%') || (*s == '\0')) {
> >          tag->func = constant_item;
> >          tag->arg = "%";
> >          *sa = ++s;
> 
> Doesn't this create an off-by-one error?
> 
> Lets s look like the following: s = "%\0t"

%\0  ??  Oook!

> This would result in pointing *sa to t.
> 
> But in line 360 we have the following loop:
> 
>    while (*s) {
>         if ((res = parse_format_tag(p, (format_tag *)
> apr_array_push(hdr->ta), &s))) { return res;
>         }
>     }
> 
> It would then start to process the memory region starting with t with
> parse_format_tag.

Heh!

> I think the following should fix this:

Yep, looks right, thanks.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
[prev in list] [next in list] [prev in thread] [next in thread]