From: Joe Orton <jorton@apache.org>
Date: Mon, 3 Aug 2009 12:34:17 +0000 (+0000)
Subject: Merge r583817, r583830 from trunk:
X-Git-Tag: 2.2.13~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e15303858d637f0b2eeb4755827f4d9a7f9d9a90;p=thirdparty%2Fapache%2Fhttpd.git

Merge r583817, r583830 from trunk:

* server/util_filter.c (ap_filter_flush): Ensure that the brigade is
  empty before returning.

* server/util_filter.c (ap_filter_flush): Tweak comment; no functional
change.

PR: 36780
Submitted by: jorton
Reviewed by: jorton, minfrin, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@800333 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c3bf507bfab..63c59e03b81 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.13
 
+  *) Fix potential segfaults with use of the legacy ap_rputs() etc
+     interfaces, in cases where an output filter fails.  PR 36780.
+     [Joe Orton]
 
 Changes with Apache 2.2.12
 
diff --git a/STATUS b/STATUS
index e3cc05d29c3..61bfef9da29 100644
--- a/STATUS
+++ b/STATUS
@@ -84,15 +84,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * Fix potential segfaults with transient buckets and use of
-    ap_r* interfaces.  PR 36780
-   Trunk version of patch:
-      http://svn.apache.org/viewvc?rev=583817&view=rev
-      http://svn.apache.org/viewvc?rev=583830&view=rev
-   Backport version for 2.2.x of patch:
-      https://issues.apache.org/bugzilla/attachment.cgi?id=24087
-   +1: jorton, minfrin, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/server/util_filter.c b/server/util_filter.c
index 7d48b52d2c2..b2e7b5824d1 100644
--- a/server/util_filter.c
+++ b/server/util_filter.c
@@ -578,8 +578,18 @@ AP_DECLARE_NONSTD(apr_status_t) ap_filter_flush(apr_bucket_brigade *bb,
                                                 void *ctx)
 {
     ap_filter_t *f = ctx;
+    apr_status_t rv;
 
-    return ap_pass_brigade(f, bb);
+    rv = ap_pass_brigade(f, bb);
+
+    /* Before invocation of the flush callback, apr_brigade_write et
+     * al may place transient buckets in the brigade, which will fall
+     * out of scope after returning.  Empty the brigade here, to avoid
+     * issues with leaving such buckets in the brigade if some filter
+     * fails and leaves a non-empty brigade. */
+    apr_brigade_cleanup(bb);
+
+    return rv;
 }
 
 AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb)