Fix buffer overrun in mod_substitute.

author Rainer Jung <rjung@apache.org>

Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)

committer Rainer Jung <rjung@apache.org>

Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)
author Rainer Jung <rjung@apache.org>
Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)
committer Rainer Jung <rjung@apache.org>
Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)
diff --git a/CHANGES b/CHANGES

index adb5959aab30dae994550d54ca90bcc3831c3898..e47dd6c7562358ef748a71da2f8a56342d1e903d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,8 @@ Changes with Apache 2.2.22
    *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
       of "0").  [Rainer Jung]
  
+  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
+
  Changes with Apache 2.2.21
  
    *) SECURITY: CVE-2011-3348 (cve.mitre.org)
diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c

index 07030403ab0d9f762d64a4534be1349e0d7e8855..faa86ad0b67bba0e54c8ef7d842ada0956e109b8 100644 (file)
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -213,7 +213,7 @@ static void do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                       * we've allocated and only re-alloc when we need it.
                       * NOTE: this screams for a macro.
                       */
-                    if (!scratch || (bytes > (fbytes + 1))) {
+                    if (!scratch || (bytes + 1 > fbytes)) {
                          fbytes = bytes + 1;
                          scratch = apr_palloc(tpool, fbytes);
                      }
author	Rainer Jung <rjung@apache.org>
	Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)
committer	Rainer Jung <rjung@apache.org>
	Sat, 1 Oct 2011 17:51:37 +0000 (17:51 +0000)
CHANGES		patch \| blob \| blame \| history
modules/filters/mod_substitute.c		patch \| blob \| blame \| history