From: Rainer Jung <rjung@apache.org>
Date: Sat, 1 Oct 2011 17:51:37 +0000 (+0000)
Subject: Fix buffer overrun in mod_substitute.
X-Git-Tag: 2.2.22~131
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e02cd44679321b341b282f3bdc06b37843e1d83;p=thirdparty%2Fapache%2Fhttpd.git

Fix buffer overrun in mod_substitute.
No need to fix trunk, the code is no
longer present there.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1178053 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index adb5959aab3..e47dd6c7562 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,8 @@ Changes with Apache 2.2.22
   *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
      of "0").  [Rainer Jung]
 
+  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
+
 Changes with Apache 2.2.21
 
   *) SECURITY: CVE-2011-3348 (cve.mitre.org)
diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index 07030403ab0..faa86ad0b67 100644
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -213,7 +213,7 @@ static void do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                      * we've allocated and only re-alloc when we need it.
                      * NOTE: this screams for a macro.
                      */
-                    if (!scratch || (bytes > (fbytes + 1))) {
+                    if (!scratch || (bytes + 1 > fbytes)) {
                         fbytes = bytes + 1;
                         scratch = apr_palloc(tpool, fbytes);
                     }