* modules/filters/mod_substitute.c (do_pattmatch):

  Improve bounds checking for line length validation.

Submitted by: metsw24-max <metsw24 gmail.com>
Github: closes #624

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935001 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index 19819b8f23eccccc68e6a0cb4710e2c95e9dd7b7..65ca5f95d01a4f86a4dbc3a4d6b87a9e95c77133 100644 (file)
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -239,7 +239,9 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                              * are constanting allocing space and copying
                              * strings.
                              */
-                            if (vb.strlen + len + replen > cfg->max_line_length)
+                            if (vb.strlen > cfg->max_line_length
+                                    || len > cfg->max_line_length - vb.strlen
+                                    || replen > cfg->max_line_length - vb.strlen - len)
                                 return APR_ENOMEM;
                             ap_varbuf_strmemcat(&vb, buff, len);
                             ap_varbuf_strmemcat(&vb, replacement, replen);
@@ -251,7 +253,7 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                              * Check if we still have space for this string and
                              * the replacement string.
                              */
-                            if (space_left < len + replen)
+                            if (len > space_left || replen > space_left - len)
                                 return APR_ENOMEM;
                             space_left -= len + replen;
                             /*
@@ -338,7 +340,8 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                             /* Note that the last param in ap_varbuf_regsub below
                              * must stay positive. If it gets 0, it would mean
                              * unlimited space available. */
-                            if (vb.strlen + regm[0].rm_so >= cfg->max_line_length)
+                            if (vb.strlen >= cfg->max_line_length
+                                    || (apr_size_t)regm[0].rm_so > cfg->max_line_length - vb.strlen)
                                 return APR_ENOMEM;
                             /* copy bytes before the match */
                             if (regm[0].rm_so > 0)