On Wed, 21 Dec 2011, Greg Ames wrote:
On Tue, Dec 20, 2011 at 4:26 AM, William A. Rowe Jr.
<[email protected]> wrote:
We should come to a conclusion on this.
How about this for 2.2.x ?
--- server/util.c (revision 1179624)
+++ server/util.c (working copy)
@@ -82,6 +82,8 @@
#define IS_SLASH(s) (s == '/')
#endif
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
/*
* Examine a field value (such as a media-/content-type) string and return
@@ -391,6 +393,11 @@
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
len is int in 2.2. This should be changed into an apr_size_t, too.
full discloser: my make using apr 1.2 choked trying to compile
byterange_filter because apr_array_clear wasn't defined. It is in apr
1.3. However httpd's configure.in appears to be happy with any apr
1.x release.
Then configure should be fixed, IMHO.
