|
Last change
on this file since 2139 was
2134,
checked in by achernya, 12 years ago
|
|
Patch httpd against some security vulnerabilities.
|
|
File size:
1006 bytes
|
| Rev | Line | |
|---|
| [2134] | 1 | --- httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:42:04 1227279 |
|---|
| 2 | +++ httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:45:22 1227280 |
|---|
| 3 | @@ -82,6 +82,8 @@ |
|---|
| 4 | #define IS_SLASH(s) (s == '/') |
|---|
| 5 | #endif |
|---|
| 6 | |
|---|
| 7 | +/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */ |
|---|
| 8 | +#define UTIL_SIZE_MAX (~((apr_size_t)0)) |
|---|
| 9 | |
|---|
| 10 | /* |
|---|
| 11 | * Examine a field value (such as a media-/content-type) string and return |
|---|
| 12 | @@ -366,7 +368,7 @@ |
|---|
| 13 | char *dest, *dst; |
|---|
| 14 | char c; |
|---|
| 15 | size_t no; |
|---|
| 16 | - int len; |
|---|
| 17 | + apr_size_t len; |
|---|
| 18 | |
|---|
| 19 | if (!source) |
|---|
| 20 | return NULL; |
|---|
| 21 | @@ -391,6 +393,11 @@ |
|---|
| 22 | len++; |
|---|
| 23 | } |
|---|
| 24 | else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { |
|---|
| 25 | + if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { |
|---|
| 26 | + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, |
|---|
| 27 | + "integer overflow or out of memory condition." ); |
|---|
| 28 | + return NULL; |
|---|
| 29 | + } |
|---|
| 30 | len += pmatch[no].rm_eo - pmatch[no].rm_so; |
|---|
| 31 | } |
|---|
| 32 | |
|---|
Note: See
TracBrowser
for help on using the repository browser.
