From: Rainer Jung Date: Sat, 13 Jul 2013 11:04:58 +0000 (+0000) Subject: Improve error detection when decompressing X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9368b2046d480f414ac56caa57f32b0077a20c18;p=thirdparty%2Fapache%2Fhttpd.git Improve error detection when decompressing request bodies with trailing garbage: - handle case where trailing bytes are in the same bucket. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1502772 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index b8c6595ce32..a385b0c6e25 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2485 +2486 diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c index 963f18341d6..43ae858380d 100644 --- a/modules/filters/mod_deflate.c +++ b/modules/filters/mod_deflate.c @@ -1096,6 +1096,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, } if (zRC == Z_STREAM_END) { apr_bucket *tmp_heap; + apr_size_t avail; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01393) "Zlib: Inflated %ld to %ld : URL %s", @@ -1110,8 +1111,10 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, tmp_heap); ctx->stream.avail_out = c->bufferSize; + avail = ctx->stream.avail_in; + /* Is the remaining 8 bytes already in the avail stream? */ - if (ctx->stream.avail_in >= 8) { + if (avail >= 8) { unsigned long compCRC, compLen; compCRC = getLong(ctx->stream.next_in); if (ctx->crc != compCRC) { @@ -1143,6 +1146,13 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, inflateEnd(&ctx->stream); ctx->done = 1; + + /* Did we have trailing data behind the closing 8 bytes? */ + if (avail > 8) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02485) + "Encountered extra data after compressed data"); + return APR_EGENERAL; + } } }