]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
projects / thirdparty / apache / httpd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb5d54e)
Commit 6 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_d...
authorYann Ylavic <ylavic@apache.org>
Thu, 27 Feb 2014 18:15:03 +0000 (18:15 +0000)
committerYann Ylavic <ylavic@apache.org>
Thu, 27 Feb 2014 18:15:03 +0000 (18:15 +0000)
PR 46146 (patches from duplicated PR 55666)

Ignore empty buckets and split buckets longer than INT_MAX (since zlib uses 32-bit ints only) in all filters.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572671 13f79535-47bb-0310-9956-ffa450edef68

modules/filters/mod_deflate.c patch | blob | blame | history

diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c
index a50bc48fc8279a2a95a1108b25abe4b8ad05fc8c..1d48ddfc977fd9a63a8febdef3d06a9cdc1c6e6b 100644 (file)
--- a/modules/filters/mod_deflate.c
+++ b/modules/filters/mod_deflate.c
@@ -49,6 +49,8 @@
 
 #include "zlib.h"
 
+#include <limits.h>     /* for INT_MAX */
+
 static const char deflateFilterName[] = "DEFLATE";
 module AP_MODULE_DECLARE_DATA deflate_module;
 
@@ -843,6 +845,14 @@ static apr_status_t deflate_out_filter(ap_filter_t *f,
 
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        if (!len) {
+            apr_bucket_delete(e);
+            continue;
+        }
+        if (len > INT_MAX) {
+            apr_bucket_split(e, INT_MAX);
+            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        }
 
         /* This crc32 function is from zlib. */
         ctx->crc = crc32(ctx->crc, (const Bytef *)data, len);
@@ -1187,6 +1197,13 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
             /* read */
             apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
+            if (!len) {
+                continue;
+            }
+            if (len > INT_MAX) {
+                apr_bucket_split(bkt, INT_MAX);
+                apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
+            }
 
             if (ctx->zlib_flags) {
                 rv = consume_zlib_flags(ctx, &data, &len);
@@ -1200,7 +1217,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
             /* pass through zlib inflate. */
             ctx->stream.next_in = (unsigned char *)data;
-            ctx->stream.avail_in = len;
+            ctx->stream.avail_in = (int)len;
 
             zRC = Z_OK;
 
@@ -1533,6 +1550,14 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
 
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        if (!len) {
+            apr_bucket_delete(e);
+            continue;
+        }
+        if (len > INT_MAX) {
+            apr_bucket_split(e, INT_MAX);
+            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        }
 
         /* first bucket contains zlib header */
         if (ctx->header_len < sizeof(ctx->header)) {
Mirror of https://github.com/apache/httpd.git