From: Rainer Jung <rjung@apache.org>
Date: Sun, 28 Sep 2014 21:38:33 +0000 (+0000)
Subject: mod_substitute: Fix memory limitation in case of
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=60d09d9a2608229efa948006591ed731f487e7e0;p=thirdparty%2Fapache%2Fhttpd.git

mod_substitute: Fix memory limitation in case of
regexp plus flatten.

The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1628104 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index 7618cdca81d..cda5baa59a2 100644
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -235,9 +235,11 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                         have_match = 1;
                         if (script->flatten && !force_quick) {
                             /* copy bytes before the match */
+                            if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+                                return APR_ENOMEM;
                             if (regm[0].rm_so > 0)
                                 ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
-                            /* add replacement string */
+                            /* add replacement string, last argument is unsigned! */
                             rv = ap_varbuf_regsub(&vb, script->replacement, pos,
                                                   AP_MAX_REG_MATCH, regm,
                                                   AP_SUBST_MAX_LINE_LENGTH - vb.strlen);