From 0aaf939e5ec05db711f26acafc9909ee95cca172 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Fri, 14 Feb 2014 21:06:03 +0000
Subject: [PATCH] [mod_rrdtool] fix invalid read (string not null terminated)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2940 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS              | 1 +
 src/mod_rrdtool.c | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index ca1e206e..4abb2b33 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ NEWS
 - 1.4.35
   * [network/ssl] fix build error if TLSEXT is disabled
   * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
+  * [mod_rrdtool] fix invalid read (string not null terminated)
 
 - 1.4.34
   * [mod_auth] explicitly link ssl for SHA1 (fixes #2517)
diff --git a/src/mod_rrdtool.c b/src/mod_rrdtool.c
index 122c79ec..5c5ea881 100644
--- a/src/mod_rrdtool.c
+++ b/src/mod_rrdtool.c
@@ -437,7 +437,7 @@ TRIGGER_FUNC(mod_rrd_trigger) {
 		}
 
 		buffer_prepare_copy(p->resp, 4096);
-		if (-1 == (r = safe_read(p->read_fd, p->resp->ptr, p->resp->size))) {
+		if (-1 == (r = safe_read(p->read_fd, p->resp->ptr, p->resp->size - 1))) {
 			p->rrdtool_running = 0;
 
 			log_error_write(srv, __FILE__, __LINE__, "ss",
@@ -446,7 +446,8 @@ TRIGGER_FUNC(mod_rrd_trigger) {
 			return HANDLER_ERROR;
 		}
 
-		p->resp->used = r;
+		p->resp->used = r + 1;
+		p->resp->ptr[r] = '\0';
 
 		if (p->resp->ptr[0] != 'O' ||
 		    p->resp->ptr[1] != 'K') {