BUG/MAJOR: http: don't read past buffer's end in http_replace_value

The function http_replace_value use bad variable to detect the end of the input string. Regression introduced by the patch "MEDIUM: regex: Remove null terminated strings." (c9c2daf2) We need to backport this patch int the 1.5 stable branch. WT: there is no possibility to overwrite existing data as we only read past the end of the request buffer, to copy into the trash. The copy is bounded by buffer_replace2(), just like the replacement performed by exp_replace(). However if a buffer happens to contain non-zero data up to the next unmapped page boundary, there's a theorical risk of crashing the process despite this not being reproducible in tests. The risk is low because "http-request replace-value" did not work due to this bug so that probably means it's not used yet.
2026-05-04 12:41:00 +02:00 · 2015-03-16 11:14:41 +01:00 · 2015-03-16 11:14:41 +01:00 · 534101658d
commit 534101658d
parent a85cfb1db5
1 changed files with 2 additions and 2 deletions
--- a/src/proto_http.c
+++ b/src/proto_http.c
@ -3273,7 +3273,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha

 		/* look for delim. */
 		p_delim = p;
-		while (p_delim < p + len && *p_delim != delim)
+		while (p_delim < val + len && *p_delim != delim)
 			p_delim++;

 		if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch, 0)) {
@ -3297,7 +3297,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha
 			return -1;

 		/* end of the replacements. */
-		if (p_delim >= p + len)
+		if (p_delim >= val + len)
 			break;

 		/* Next part. */