Hi there,
Revision 1198940 attempts to fix an integer overflow in ap_pregsub() in
server/util.c:394. The patch is:
--- httpd/httpd/trunk/server/util.c 2011/11/07 21:09:41 1198939
+++ httpd/httpd/trunk/server/util.c 2011/11/07 21:13:40 1198940
@@ -411,6 +411,8 @@
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+ return APR_ENOMEM;
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
, and appears wrong, because, ap_pregsub() is
AP_DECLARE(char *) ap_pregsub(...)
This would require something along the lines of (proposal):
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
}
dest = dst = apr_pcalloc(p, len + 1);
+ if(!dest)
+ return NULL;
+
+
/* Now actually fill in the string */
...or simply without the error logging.
Thoughts?
Thanks,
Roman.
