From: Giovanni Bechis <gbechis@apache.org>
Date: Tue, 28 Mar 2023 21:12:47 +0000 (+0000)
Subject: Fix a possible null pointer dereference in ap_expr_parse()
X-Git-Tag: 2.5.0-alpha2-ci-test-only~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4599b709bb9ff6895d7627e24940701ea192987a;p=thirdparty%2Fapache%2Fhttpd.git

Fix a possible null pointer dereference in ap_expr_parse()

In ap_expr_parse(), ap_expr_yylex_init() will return 1 on failure,
and ctx.scanner will remain NULL. However the return value of
ap_expr_yylex_init() is not checked, and there is a dereference of
ctx.scanner in following function ap_expr_yyset_extra(),
which may lead to NULL pointer dereference.

Fix this bug by adding return value check of ap_expr_yylex_init.

Submitted by: Zhou Qingyang <zhou1615@umn.edu>

Github: closes #308


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908772 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index 9c71e865b0f..f1424aa1a91 100644
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -592,7 +592,10 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_expr_lookup_default;
     ctx.at_start    = 1;
 
-    ap_expr_yylex_init(&ctx.scanner);
+    rc = ap_expr_yylex_init(&ctx.scanner);
+    if (rc)
+        return "ap_expr_yylex_init error";
+
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);
     ap_expr_yylex_destroy(ctx.scanner);