Lighttpd

Thanks for the report. This patch fixes the problem:

--- a/src/mod_ssi.c
+++ b/src/mod_ssi.c
@@ -1160,6 +1160,9 @@ static int process_ssi_stmt(request_st * const r, handler_ctx * const p, const c
                /* send cmd output to a temporary file */
                if (0 != chunkqueue_append_mem_to_tempfile(cq, "", 0, errh)) break;
                c = cq->last;
+               off_t flen = c->file.length;
+               if (flen != lseek(c->file.fd, flen, SEEK_SET))
+                       log_perror(errh, __FILE__, __LINE__, "lseek failed");

                int status = 0;
                struct stat stb;
@@ -1184,7 +1187,7 @@ static int process_ssi_stmt(request_st * const r, handler_ctx * const p, const c
                        if (0 == fstat(c->file.fd, &stb)) {
                        }
                }
-               chunkqueue_update_file(cq, c, stb.st_size);
+               chunkqueue_update_file(cq, c, stb.st_size - flen);
                break;
        }
        case SSI_IF: {

Yikes! I think this may have been broken since lighttpd 1.4.56 in commit 9f8a8968 which had the wrong file size if there was data in the .shtml prior to the #exec (which would be common) and then also broken by later changes to use pwrite(), which did not update file offset, and sendfile(), which errors out with the wrong file size.

The garbled and truncated output you saw is in the temporary file, as the output of the #exec overwrites the beginning of the temporary file which contains the generated SSI output. There is no memory corruption in lighttpd from this bug.

I'll add another test case to src/t/test_mod_ssi.c

From what version of lighttpd are you upgrading?

Applied in changeset 4bdd6363e26c6f5a6de1df82d17e3fa99416c282.