From: Jim Jagielski Date: Mon, 9 Dec 2002 20:21:00 +0000 (+0000) Subject: Get rid of somewhat long-standing issue regarding large values X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a2428f77144c0c20438cd99540107da6e1c19ce;p=thirdparty%2Fapache%2Fhttpd.git Get rid of somewhat long-standing issue regarding large values of precision causing a buffer to be clobbered in the vformatter function (eg: ap_snprintf) PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@97822 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index e795f8000de..8924db7f736 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,8 @@ Changes with Apache 1.3.28 + *) Prevent obscenely large values of precision in ap_vformatter + from clobbering a buffer. [Sander Striker, Jim Jagielski] + *) NetWare: implemented ap_os_default_port() to resolve the correct default port based on the request method. This fixes a URL reconstruction problem on a redirect. diff --git a/src/ap/ap_snprintf.c b/src/ap/ap_snprintf.c index ffa0c366dbe..6f0e6b63b41 100644 --- a/src/ap/ap_snprintf.c +++ b/src/ap/ap_snprintf.c @@ -317,15 +317,21 @@ static char *ap_gcvt(double number, int ndigit, char *buf, boolean_e altform) * This macro does zero padding so that the precision * requirement is satisfied. The padding is done by * adding '0's to the left of the string that is going - * to be printed. + * to be printed. We don't allow precision to be large + * enough that we continue past the start of s. + * + * NOTE: this makes use of the magic info that s is + * always based on num_buf with a size of NUM_BUF_SIZE. */ #define FIX_PRECISION( adjust, precision, s, s_len ) \ - if ( adjust ) \ - while ( s_len < precision ) \ + if ( adjust ) { \ + int p = precision < NUM_BUF_SIZE - 1 ? precision : NUM_BUF_SIZE - 1; \ + while ( s_len < p ) \ { \ *--s = '0' ; \ s_len++ ; \ - } + } \ + } /* * Macro that does padding. The padding is done by printing @@ -758,10 +764,6 @@ API_EXPORT(int) ap_vformatter(int (*flush_func)(ap_vformatter_buff *), /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES;