Hi Folks, We recently started using Sentry (static analysis tool) to analyze apache httpd on a nightly basis. Sentry found a potential unintialized variable in mod_data.c added in commit 1133582.
I'm not sure if this case is actually possible at runtime, but I'll describe it here. Note, you can view the file I'm talking about here, http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582 static apr_status_t data_out_filter(... { ... if (!ctx) { ... // EVENT 1: charset is uninitialized char *charset; ... // EVENT 2: Take false path here if (!ap_is_initial_req(f->r)) { ap_remove_output_filter(f); return ap_pass_brigade(f->next, bb); } ... type = apr_pstrdup(r->pool, r->content_type); // EVENT 3: take false path here if (type) { charset = strchr(type, ' '); if (charset) { *charset++ = 0; end = strchr(charset, ' '); if (end) { *end++ = 0; } } } // EVENT 4: charset is used uninitialized. // If it's possible to reach this case, you could potentially // pass bogus data into the second %s. apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,", type ? type : "", charset ? charset : ""); If this case is reachable, I would suggest a patch like this: - char *charset; + char *charset = 0; Thanks, Chris -- Chris Wilson http://vigilantsw.com/ Vigilant Software, LLC
