> Am 15.04.2022 um 15:24 schrieb Yann Ylavic <ylavic....@gmail.com>:
>
> On Wed, Apr 6, 2022 at 11:17 AM <ic...@apache.org> wrote:
>>
>> Modified: httpd/httpd/trunk/server/util.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1899609&r1=1899608&r2=1899609&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/server/util.c (original)
>> +++ httpd/httpd/trunk/server/util.c Wed Apr 6 09:17:42 2022
>> @@ -2615,7 +2615,7 @@ AP_DECLARE(void) ap_content_type_tolower
>> */
>> AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
>> {
>> - int newlen = 0;
>> + apr_ssize_t extra = 0;
>
> Shouldn't it be an apr_size_t?
Similar comment raised on the PR https://github.com/apache/httpd/pull/298
Not totally sure. The thing is that C in general has a problem with
strings where ptrdiff_t (apr_ssize_t) is not sufficient. Allocating something
larger than ptridff_t leads to undefined behaviour.
So, maybe we should check that "(inchr - instring) + extra + 1" does not
wrap around?
>
>> const char *inchr = instring;
>> char *outchr, *outstring;
>>
>> @@ -2624,9 +2624,8 @@ AP_DECLARE(char *) ap_escape_quotes(apr_
>> * string up by an extra byte each time we find an unescaped ".
>> */
>> while (*inchr != '\0') {
>> - newlen++;
>> if (*inchr == '"') {
>> - newlen++;
>> + extra++;
>> }
>> /*
>> * If we find a slosh, and it's not the last byte in the string,
>> @@ -2634,11 +2633,15 @@ AP_DECLARE(char *) ap_escape_quotes(apr_
>> */
>> else if ((*inchr == '\\') && (inchr[1] != '\0')) {
>> inchr++;
>> - newlen++;
>> }
>> inchr++;
>> }
>> - outstring = apr_palloc(p, newlen + 1);
>> +
>> + if (!extra) {
>> + return apr_pstrdup(p, instring);
>> + }
>> +
>> + outstring = apr_palloc(p, (inchr - instring) + extra + 1);
>> inchr = instring;
>> outchr = outstring;
>
>
> Regards;
> Yann.