https://bz.apache.org/bugzilla/show_bug.cgi?id=64297
--- Comment #2 from [email protected] --- Hi Stefan, Yeah indeed I think you right, so I dive in md_json_readb and see this apr_status_t md_json_readd(md_json_t **pjson, apr_pool_t *pool, const char *data, size_t data_len) { json_error_t error; json_t *j; j = json_loadb(data, data_len, 0, &error); (5) if (!j) { return APR_EINVAL; } *pjson = json_create(pool, j); return APR_SUCCESS; } so If we go to the branh: rv = md_json_readb(pjson, pool, res->body); it will trigger (5) with data is res->body under attacker control and I guess can make it return 0 and it will keep pjson ( our *problem ) uninit as well. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
