From: Stefan Fritsch <sf@apache.org>
Date: Wed, 4 Jan 2012 19:45:22 +0000 (+0000)
Subject: Merge fix for CVE-2011-3607:
X-Git-Tag: 2.2.22~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=318ccaa5e42b991b8e23d94455192f659224e516;p=thirdparty%2Fapache%2Fhttpd.git

Merge fix for CVE-2011-3607:

Fix integer overflow in ap_pregsub()

Trunk fix: r1198940
Submitted by: Stefan Fritsch, Greg Ames
Reviewed by: Stefan Fritsch, Greg Ames, Eric Covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227280 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 0ead4fe5af0..f6e2ebbb292 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@ Changes with Apache 2.2.22
      specification, preventing unexpected expansion of target URLs in
      some reverse proxy configurations.  [Joe Orton]
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+     is enabled, could allow local users to gain privileges via a .htaccess
+     file. [Stefan Fritsch, Greg Ames]
+
   *) core: Fix segfault in ap_send_interim_response(). PR 52315.
      [Stefan Fritsch]
 
diff --git a/STATUS b/STATUS
index dbd66b73b08..c8b1410971f 100644
--- a/STATUS
+++ b/STATUS
@@ -112,11 +112,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
       2.2.x patch: trunk patch works
     +1: sf, gregames, covener
 
-  * core: Fix integer overflow in ap_pregsub. CVE-2011-3607
-      Trunk patch: http://svn.apache.org/viewvc?rev=1198940&view=rev
-      2.2.x patch: http://people.apache.org/~sf/CVE-2011-3607.diff
-    +1: sf, gregames, covener
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/server/util.c b/server/util.c
index d0b90c6a53d..a50d0340e5a 100644
--- a/server/util.c
+++ b/server/util.c
@@ -82,6 +82,8 @@
 #define IS_SLASH(s) (s == '/')
 #endif
 
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
 
 /*
  * Examine a field value (such as a media-/content-type) string and return
@@ -366,7 +368,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
     char *dest, *dst;
     char c;
     size_t no;
-    int len;
+    apr_size_t len;
 
     if (!source)
         return NULL;
@@ -391,6 +393,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                             "integer overflow or out of memory condition." );
+                return NULL;
+            }
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }