From 9722758dd8ea9500d93b59ef480ae71b02c5c55a Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sun, 12 Apr 2026 22:42:31 +0200
Subject: [PATCH] fix: heap buffer overflow in acmp pm

---
 apache2/acmp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/apache2/acmp.c b/apache2/acmp.c
index 3691dd12e5..12c91848ba 100644
--- a/apache2/acmp.c
+++ b/apache2/acmp.c
@@ -514,7 +514,7 @@ apr_status_t acmp_add_pattern(ACMP *parser, const char *pattern,
             child->pattern = "";
             child->letter = letter;
             child->depth = i;
-            child->text = apr_pcalloc(parser->pool, strlen(pattern) + 2);
+            child->text = apr_pcalloc(parser->pool, i + 2);
             /* ENH: Check alloc succeded */
             for (j = 0; j <= i; j++) child->text[j] = pattern[j];
         }
@@ -522,9 +522,10 @@ apr_status_t acmp_add_pattern(ACMP *parser, const char *pattern,
             if (child->is_last == 0) {
                 parser->dict_count++;
                 child->is_last = 1;
-                child->pattern = apr_pcalloc(parser->pool, strlen(pattern) + 2);
+                child->pattern = apr_pcalloc(parser->pool, length + 1);
                 /* ENH: Check alloc succeded */
-                strcpy(child->pattern, pattern);
+                memcpy(child->pattern, pattern, length);
+                child->pattern[length] = '\0';
             }
             child->callback = callback;
             child->callback_data = data;