sizeof(int) < sizeof(long) due to inappapriate casting;
* Change "MIN( (int) a, (int) b)" to "(int) MIN(a, b)". As 'a' is the buffer
size, it will be smaller than any long which overflows an int.
* More generally - change ap_bread and ap_bwrite to defend against a negative
length argument in general. Return -1 if one is passed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@896842
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 1.3.42
+ *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
+ [Colm MacCárthaigh]
+
*) IMPORTANT: This is the final release of Apache httpd 1.3.
Apache httpd 1.3 has reached end of life, as of January 2010.
No further releases of this software will be made, although critical
{
int i, nrd;
- if (fb->flags & B_RDERR)
+ if (fb->flags & B_RDERR || nbyte < 0)
return -1;
if (nbyte == 0)
return 0;
static int csize = 0;
#endif /*CHARSET_EBCDIC*/
- if (fb->flags & (B_WRERR | B_EOUT))
+ if (fb->flags & (B_WRERR | B_EOUT) || nbyte < 0)
return -1;
if (nbyte == 0)
return 0;
/* read the chunk */
if (remaining > 0) {
- n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining));
+ n = ap_bread(f, buf, (int) MIN(buf_size, remaining));
if (n > -1) {
remaining -= n;
end_of_chunk = (remaining == 0);
n = ap_bread(f, buf, buf_size);
}
else {
- n = ap_bread(f, buf, MIN((int)buf_size,
- (int)(len - total_bytes_rcvd)));
+ n = ap_bread(f, buf, (int) MIN(buf_size,
+ (len - total_bytes_rcvd)));
}
}
projects / thirdparty / apache / httpd.git / commitdiff
