cvs commit: apache-1.3/src/main util.c

10 Apr 1999 23:21:26 -0000 

ronald      99/04/10 16:21:23

  Modified:    src      CHANGES
               src/main util.c
  Log:
  ap_uuencode was not allocating space for terminating '\0'
  ap_uudecode was running past the beginning of the buffer for empty input
  strings, and past the end of the buffer for certain (invalid) input
  
  PR: 3422
  Reviewed by:  Dean Gaudet
  
  Revision  Changes    Path
  1.1307    +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1306
  retrieving revision 1.1307
  diff -u -r1.1306 -r1.1307
  --- CHANGES   1999/04/10 21:51:01     1.1306
  +++ CHANGES   1999/04/10 23:21:21     1.1307
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3.7
   
  +  *) Fix buffer overflows in ap_uuencode and ap_uudecode pointed out
  +     by "Peter 'Luna' Altberg <[EMAIL PROTECTED]>" and PR#3422
  +     [Peter 'Luna' Altberg <[EMAIL PROTECTED]>, Ronald Tschalär]
  +
     *) Make {Set,Unset,Pass}Env per-directory instead of per-server.
        [Ben Laurie]
   
  
  
  
  1.157     +23 -15    apache-1.3/src/main/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/util.c,v
  retrieving revision 1.156
  retrieving revision 1.157
  diff -u -r1.156 -r1.157
  --- util.c    1999/03/20 15:41:07     1.156
  +++ util.c    1999/04/10 23:21:23     1.157
  @@ -1962,7 +1962,7 @@
   
       bufin = (const unsigned char *) bufcoded;
   
  -    while (nprbytes > 0) {
  +    while (nprbytes > 4) {
        *(bufout++) =
            (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
        *(bufout++) =
  @@ -1973,13 +1973,15 @@
        nprbytes -= 4;
       }
   
  -    if (nprbytes & 03) {
  -     if (pr2six[bufin[-2]] > 63)
  -         nbytesdecoded -= 2;
  -     else
  -         nbytesdecoded -= 1;
  +    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
  +    if (nprbytes > 1) {
  +     *(bufout++) =
  +         (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
       }
  -    bufplain[nbytesdecoded] = '\0';
  +    if (nprbytes > 2) {
  +     *(bufout++) =
  +         (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
  +    }
   #else /*CHARSET_EBCDIC*/
       bufin = (const unsigned char *) bufcoded;
       while (pr2six[os_toascii[(unsigned char)*(bufin++)]] <= 63);
  @@ -1991,7 +1993,7 @@
   
       bufin = (const unsigned char *) bufcoded;
   
  -    while (nprbytes > 0) {
  +    while (nprbytes > 4) {
        *(bufout++) = os_toebcdic[
            (unsigned char) (pr2six[os_toascii[*bufin]] << 2 | 
pr2six[os_toascii[bufin[1]]] >> 4)];
        *(bufout++) = os_toebcdic[
  @@ -2002,14 +2004,20 @@
        nprbytes -= 4;
       }
   
  -    if (nprbytes & 03) {
  -     if (pr2six[os_toascii[bufin[-2]]] > 63)
  -         nbytesdecoded -= 2;
  -     else
  -         nbytesdecoded -= 1;
  +    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
  +    if (nprbytes > 1) {
  +     *(bufout++) = os_toebcdic[
  +         (unsigned char) (pr2six[os_toascii[*bufin]] << 2 | 
pr2six[os_toascii[bufin[1]]] >> 4)];
       }
  -    bufplain[nbytesdecoded] = '\0';
  +    if (nprbytes > 2) {
  +     *(bufout++) = os_toebcdic[
  +         (unsigned char) (pr2six[os_toascii[bufin[1]]] << 4 | 
pr2six[os_toascii[bufin[2]]] >> 2)];
  +    }
   #endif /*CHARSET_EBCDIC*/
  +
  +    nbytesdecoded -= (4 - nprbytes) & 3;
  +    bufplain[nbytesdecoded] = '\0';
  +
       return bufplain;
   }
   
  @@ -2020,7 +2028,7 @@
   { 
       int i, len = strlen(string); 
       char *p; 
  -    char *encoded = (char *) ap_palloc(a, (len+2) / 3 * 4); 
  +    char *encoded = (char *) ap_palloc(a, ((len+2) / 3 * 4) + 1); 
    
       p = encoded; 
   #ifndef CHARSET_EBCDIC

Reply via email to