From: Rainer Jung <rjung@apache.org>
Date: Wed, 3 Oct 2012 16:18:10 +0000 (+0000)
Subject: Merge r1198940 from trunk resp. r1227280 from 2.2.x:
X-Git-Tag: 2.0.65~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b58a2a33c5d0b22ad000b54915c519c2f6195c78;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1198940 from trunk resp. r1227280 from 2.2.x:

Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf
Reviewed/backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1393580 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 39a07a0a690..b195c8dc487 100644
--- a/CHANGES
+++ b/CHANGES
@@ -23,6 +23,11 @@ Changes with Apache 2.0.65
      PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
      Eric Covener, <lowprio20 gmail.com>]
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+     is enabled, could allow local users to gain privileges via a .htaccess
+     file. [Stefan Fritsch, Greg Ames]
+
 Changes with Apache 2.0.64
 
   *) SECURITY: CVE-2010-1452 (cve.mitre.org)
diff --git a/STATUS b/STATUS
index dffaac19053..8bce61b8fe8 100644
--- a/STATUS
+++ b/STATUS
@@ -129,13 +129,6 @@ RELEASE SHOWSTOPPERS:
             More eyes welcome.
      jim: not a showstopper, imo
 
-  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
-     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
-     is enabled, could allow local users to gain privileges via a .htaccess
-     file. [Stefan Fritsch, Greg Ames]
-     From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280
-       +1: gregames, wrowe, trawick
-
   *) SECURITY: CVE-2011-4317 (cve.mitre.org)
      Resolve additional cases of URL rewriting with ProxyPassMatch or
      RewriteRule, where particular request-URIs could result in undesired
diff --git a/server/util.c b/server/util.c
index a64f3bf973f..b69f465050c 100644
--- a/server/util.c
+++ b/server/util.c
@@ -82,6 +82,8 @@
 #define IS_SLASH(s) (s == '/')
 #endif
 
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
 
 /*
  * Examine a field value (such as a media-/content-type) string and return
@@ -385,7 +387,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
     char *dest, *dst;
     char c;
     size_t no;
-    int len;
+    apr_size_t len;
 
     if (!source)
         return NULL;
@@ -410,6 +412,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                             "integer overflow or out of memory condition." );
+                return NULL;
+            }
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }