mod_substitute: Fix memory limitation in case of

regexp plus flatten.

The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1628104 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index 7618cdca81d030a18675da43ebe196a88fbf3c4d..cda5baa59a20434f24d033481e54201cae8e4cb0 100644 (file)
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -235,9 +235,11 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                         have_match = 1;
                         if (script->flatten && !force_quick) {
                             /* copy bytes before the match */
+                            if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+                                return APR_ENOMEM;
                             if (regm[0].rm_so > 0)
                                 ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
-                            /* add replacement string */
+                            /* add replacement string, last argument is unsigned! */
                             rv = ap_varbuf_regsub(&vb, script->replacement, pos,
                                                   AP_MAX_REG_MATCH, regm,
                                                   AP_SUBST_MAX_LINE_LENGTH - vb.strlen);