Last change
on this file since 2134 was
2134,
checked in by achernya, 13 years ago
|
Patch httpd against some security vulnerabilities.
|
File size:
1006 bytes
|
Rev | Line | |
---|
[2134] | 1 | --- httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:42:04 1227279 |
---|
| 2 | +++ httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:45:22 1227280 |
---|
| 3 | @@ -82,6 +82,8 @@ |
---|
| 4 | #define IS_SLASH(s) (s == '/') |
---|
| 5 | #endif |
---|
| 6 | |
---|
| 7 | +/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */ |
---|
| 8 | +#define UTIL_SIZE_MAX (~((apr_size_t)0)) |
---|
| 9 | |
---|
| 10 | /* |
---|
| 11 | * Examine a field value (such as a media-/content-type) string and return |
---|
| 12 | @@ -366,7 +368,7 @@ |
---|
| 13 | char *dest, *dst; |
---|
| 14 | char c; |
---|
| 15 | size_t no; |
---|
| 16 | - int len; |
---|
| 17 | + apr_size_t len; |
---|
| 18 | |
---|
| 19 | if (!source) |
---|
| 20 | return NULL; |
---|
| 21 | @@ -391,6 +393,11 @@ |
---|
| 22 | len++; |
---|
| 23 | } |
---|
| 24 | else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { |
---|
| 25 | + if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { |
---|
| 26 | + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, |
---|
| 27 | + "integer overflow or out of memory condition." ); |
---|
| 28 | + return NULL; |
---|
| 29 | + } |
---|
| 30 | len += pmatch[no].rm_eo - pmatch[no].rm_so; |
---|
| 31 | } |
---|
| 32 | |
---|
Note: See
TracBrowser
for help on using the repository browser.