Line 586 adds two bytes to the length of each header string to allow for characters that will be added when the string is formatted: len += strlen(elts[i].key) + strlen(elts[i].val) + 2; This is consistent with the commentary that precedes it, however, line 598- 602 actually add three bytes to the header string: *(((char*)buf_data)++) = ':'; *(((char*)buf_data)++) = ' '; strcpy(buf_data, elts[i].val); ((char*)buf_data) += strlen(elts[i].val); *(((char*)buf_data)++) = '\n'; Net result: buf_size is one byte per row too small. GetServerVariable() is typically called once with a NULL buffer to establish the required buffer size, then called again with a newly allocated buffer of the appropriate size. This isn't possible if the first call returns too small a size. The fix is simple: change '2' to '3' in line 586.
Forgot to mention the file: this is in mod_isapi.c.
Created attachment 6740 [details] Trivial patch
Note that the patch is not needed if the patch for bug 20656 is applied.
enabling the PatchAvailable keyword updated doc on submitting patches is at http://httpd.apache.org/dev/patches.html
patch committed to Apache 2.1-dev, will propose for backport to stable branch soon thanks!
+1 here to backport, thanks Jesse.