From: Stefan Eissing Date: Tue, 10 Aug 2021 08:59:48 +0000 (+0000) Subject: Merge of 1892038,1892063 from trunk: X-Git-Tag: candidate-2.4.49~3^2~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79a84dcf65c45ef00c9d20bdb8b88809bbae1b85;p=thirdparty%2Fapache%2Fhttpd.git Merge of 1892038,1892063 from trunk: *) core: avoid signed integer overflow under fuzzing in ap_timeout_parameter_parse git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892173 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/util.c b/server/util.c index 0c955e76ec2..e917894fa53 100644 --- a/server/util.c +++ b/server/util.c @@ -2597,6 +2597,7 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse( char *endp; const char *time_str; apr_int64_t tout; + apr_uint64_t check; tout = apr_strtoi64(timeout_parameter, &endp, 10); if (errno) { @@ -2609,24 +2610,28 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse( time_str = endp; } + if (tout < 0) { + return APR_ERANGE; + } + switch (*time_str) { /* Time is in seconds */ case 's': - *timeout = (apr_interval_time_t) apr_time_from_sec(tout); + check = apr_time_from_sec(tout); break; case 'h': /* Time is in hours */ - *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600); + check = apr_time_from_sec(tout * 3600); break; case 'm': switch (*(++time_str)) { /* Time is in milliseconds */ case 's': - *timeout = (apr_interval_time_t) tout * 1000; + check = tout * 1000; break; /* Time is in minutes */ case 'i': - *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60); + check = apr_time_from_sec(tout * 60); break; default: return APR_EGENERAL; @@ -2635,6 +2640,10 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse( default: return APR_EGENERAL; } + if (check > APR_INT64_MAX || check < tout) { + return APR_ERANGE; + } + *timeout = (apr_interval_time_t) check; return APR_SUCCESS; }