From e653b97abc5cb3e4f29e6a4a92bac098fbb5a2c1 Mon Sep 17 00:00:00 2001
From: manu <manu@unknown>
Date: Tue, 7 Mar 2023 01:51:02 +0000
Subject: [PATCH] Use ap_parse_strict_length() to parse client-supplied
 Content-Length

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908144 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/dav/fs/quota.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/modules/dav/fs/quota.c b/modules/dav/fs/quota.c
index 37cbb6cf146..8dedfeae610 100644
--- a/modules/dav/fs/quota.c
+++ b/modules/dav/fs/quota.c
@@ -320,12 +320,20 @@ int dav_fs_quota_precondition(request_rec *r,
         /*
          * If PUT has Content-Length, we can forecast overquota
          */
-        if ((lenhdr = apr_table_get(r->headers_in, "Content-Length")) &&
-            (atol(lenhdr) > available_bytes)) {
-            status = HTTP_INSUFFICIENT_STORAGE;
-            *err = dav_new_error_tag(r->pool, status, 0, 0,
-                                     msg, NULL, tag);
-            goto out;
+        if (lenhdr = apr_table_get(r->headers_in, "Content-Length")) {
+            if (!ap_parse_strict_length(&size, lenhdr)) {
+                status = HTTP_BAD_REQUEST;
+                *err = dav_new_error(r->pool, status, 0, 0,
+                                     "client sent invalid Content-Length");
+                goto out;
+            }
+
+            if (size > available_bytes) {
+                status = HTTP_INSUFFICIENT_STORAGE;
+                *err = dav_new_error_tag(r->pool, status, 0, 0,
+                                         msg, NULL, tag);
+                goto out;
+            }
         }
         break;
     case M_COPY: /* FALLTHROUGH */
-- 
2.47.2