From: Joe Orton Date: Fri, 17 Jul 2026 12:12:54 +0000 (+0000) Subject: mod_substitute: reject overflow values in SubstituteMaxLineLength X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f8cf7cdcf89b532df106047f9e68b3375ebdb49;p=thirdparty%2Fapache%2Fhttpd.git mod_substitute: reject overflow values in SubstituteMaxLineLength * modules/filters/mod_substitute.c (set_max_line_length): Check that the parsed value does not exceed APR_INT64_MAX / multiplier before applying the K/M/G suffix, to avoid signed integer overflow UB. Assisted-by: Claude Sonnet 4.6 GitHub: PR #685 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1936263 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/substitute-maxlinelength-overflow.txt b/changes-entries/substitute-maxlinelength-overflow.txt new file mode 100644 index 0000000000..7ad5397812 --- /dev/null +++ b/changes-entries/substitute-maxlinelength-overflow.txt @@ -0,0 +1,2 @@ + *) mod_substitute: Fix SubstituteMaxLineLength to reject values too + large for the K/M/G suffix. [Joe Orton] diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c index 65ca5f95d0..ada62a6da1 100644 --- a/modules/filters/mod_substitute.c +++ b/modules/filters/mod_substitute.c @@ -777,12 +777,18 @@ static const char *set_max_line_length(cmd_parms *cmd, void *cfg, const char *ar rv = apr_strtoff(&max, arg, &end, 10); if (rv == APR_SUCCESS) { if ((*end == 'K' || *end == 'k') && !end[1]) { + if (max > APR_INT64_MAX / KBYTE) + return "SubstituteMaxLineLength value too large"; max *= KBYTE; } else if ((*end == 'M' || *end == 'm') && !end[1]) { + if (max > APR_INT64_MAX / MBYTE) + return "SubstituteMaxLineLength value too large"; max *= MBYTE; } else if ((*end == 'G' || *end == 'g') && !end[1]) { + if (max > APR_INT64_MAX / GBYTE) + return "SubstituteMaxLineLength value too large"; max *= GBYTE; } else if (*end && /* neither empty nor [Bb] */