From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 15 Dec 2015 19:15:23 +0000 (+0000)
Subject: lib/cgi.c (cgi__input): Write terminating null within allocated buffer.
X-Git-Tag: 5.2~70
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/commitdiff_plain/751b34ac0cc1a39e8232aeaaa3c04295b0ec503f

lib/cgi.c (cgi__input): Write terminating null within allocated buffer.

This one's been there forever.  It sometimes results in `malloc'
reporting a (rather impressive) assertion failure

	disorder: malloc.c:3096: sYSMALLOc: Assertion `(old_top ==
	(((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) -
	__builtin_offsetof (struct malloc_chunk, fd)))) &&
	old_size == 0) || ((unsigned long) (old_size) >=
	(unsigned long)((((__builtin_offsetof (struct malloc_chunk,
	fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 *
	(sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) &&
	((unsigned long)old_end & pagemask) == 0)' failed.

often after producing the beginning of the output page, so the end user
gets a blank window.  Not really what we want.

This fix closes issue #57.
---

diff --git a/lib/cgi.c b/lib/cgi.c
index 9fd42f1..023c5bb 100644
--- a/lib/cgi.c
+++ b/lib/cgi.c
@@ -75,7 +75,7 @@ static void cgi__input(char **ptrp, size_t *np) {
   }
   if(memchr(q, 0, n))
     disorder_fatal(0, "null character in request body");
-  q[n + 1] = 0;
+  q[n] = 0;
   *ptrp = q;
   if(np)
     *np = n;