apache2/httpd-2.2.x-bnc690734.patch

--- server/util_script.c.orig
+++ server/util_script.c
@@ -415,6 +415,7 @@ AP_DECLARE(int) ap_scan_script_header_er
 {
     char x[MAX_STRING_LEN];
     char *w, *l;
+    int wlen;
     int p;
     int cgi_status = HTTP_UNSET;
     apr_table_t *merge;
@@ -425,7 +426,14 @@ AP_DECLARE(int) ap_scan_script_header_er
     if (buffer) {
         *buffer = '\0';
     }
-    w = buffer ? buffer : x;
+
+    if (r->server->limit_req_fieldsize + 2 > MAX_STRING_LEN) {
+        w = apr_palloc(r->pool, r->server->limit_req_fieldsize + 2);
+        wlen = r->server->limit_req_fieldsize + 2;
+    } else {
+        w = buffer ? buffer : x;
+        wlen = MAX_STRING_LEN;
+    }
 
     /* temporary place to hold headers to merge in later */
     merge = apr_table_make(r->pool, 10);
@@ -441,7 +449,7 @@ AP_DECLARE(int) ap_scan_script_header_er
 
     while (1) {
 
-        int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
+        int rv = (*getsfunc) (w, wlen - 1, getsfunc_data);
         if (rv == 0) {
             const char *msg = "Premature end of script headers";
             if (first_header)
@@ -553,9 +561,12 @@ AP_DECLARE(int) ap_scan_script_header_er
         if (!(l = strchr(w, ':'))) {
             if (!buffer) {
                 /* Soak up all the script output - may save an outright kill */
-                while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) {
+                while ((*getsfunc) (w, wlen - 1, getsfunc_data)) {
                     continue;
                 }
+	    } else if (w != buffer) {
+		strncpy(buffer, w, MAX_STRING_LEN - 1);
+		buffer[MAX_STRING_LEN - 1] = 0;
             }
 
             ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,