Fix integer overflow in ap_pregsub()
Trunk fix: r1198940
Submitted by: Stefan Fritsch, Greg Ames
Reviewed by: Stefan Fritsch, Greg Ames, Eric Covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1227280 13f79535-47bb-0310-9956-
ffa450edef68
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file. [Stefan Fritsch, Greg Ames]
+
*) core: Fix segfault in ap_send_interim_response(). PR 52315.
[Stefan Fritsch]
2.2.x patch: trunk patch works
+1: sf, gregames, covener
- * core: Fix integer overflow in ap_pregsub. CVE-2011-3607
- Trunk patch: http://svn.apache.org/viewvc?rev=1198940&view=rev
- 2.2.x patch: http://people.apache.org/~sf/CVE-2011-3607.diff
- +1: sf, gregames, covener
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
#define IS_SLASH(s) (s == '/')
#endif
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
/*
* Examine a field value (such as a media-/content-type) string and return
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
projects / thirdparty / apache / httpd.git / commitdiff
