Merge r1935014 from trunk:

ap_regname: restrict to reasonable captures

Reviewed By: covener, gbechis, jfclere

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1935015 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/include/ap_regex.h b/include/ap_regex.h
index 50d5abaa0fd8a61deef1c5d0b4e59de537d8a660..d6afbb17d76004ab92f3947839fe8b94e36557c3 100644 (file)
--- a/include/ap_regex.h
+++ b/include/ap_regex.h
@@ -204,6 +204,8 @@ AP_DECLARE(apr_size_t) ap_regerror(int errcode, const ap_regex_t *preg,
  * @param prefix An optional prefix to add to the returned names.  AP_REG_MATCH
  * is the recommended prefix.
  * @param upper If non zero, uppercase the names
+ * @return number of regex backrefernces returned, -1 for error
+ *         for successful match, AP_REG_NOMATCH otherwise
  */
 AP_DECLARE(int) ap_regname(const ap_regex_t *preg,
                            apr_array_header_t *names, const char *prefix,

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 4047d58f2aa7103c9f13237b812a63be2ad9a3fd..521e8f21837656a1b677bd7126acedfbd42f2058 100644 (file)
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -2886,7 +2886,9 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
 
     if (r) {
         conf->refs = apr_array_make(cmd->pool, 8, sizeof(char *));
-        ap_regname(r, conf->refs, AP_REG_MATCH, 1);
+        if (ap_regname(r, conf->refs, AP_REG_MATCH, 1) < 0) {
+            return "Error processing regex captures";
+        }
     }
 
     ap_add_per_proxy_conf(cmd->server, new_dir_conf);

diff --git a/server/core.c b/server/core.c
index 925bb23018dc1ba80f5233eacbb600750041ad92..df270b019e410880dc2994ebd9311a602218fd4c 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -2526,7 +2526,9 @@ static const char *dirsection(cmd_parms *cmd, void *mconfig, const char *arg)
 
     if (r) {
         conf->refs = apr_array_make(cmd->pool, 8, sizeof(char *));
-        ap_regname(r, conf->refs, AP_REG_MATCH, 1);
+        if (ap_regname(r, conf->refs, AP_REG_MATCH, 1) < 0) {
+            return "Error processing regex captures";
+        }
     }
 
     /* Make this explicit - the "/" root has 0 elements, that is, we
@@ -2607,7 +2609,9 @@ static const char *urlsection(cmd_parms *cmd, void *mconfig, const char *arg)
 
     if (r) {
         conf->refs = apr_array_make(cmd->pool, 8, sizeof(char *));
-        ap_regname(r, conf->refs, AP_REG_MATCH, 1);
+        if (ap_regname(r, conf->refs, AP_REG_MATCH, 1) < 0) {
+            return "Error processing regex captures";
+        }
     }
 
     ap_add_per_url_conf(cmd->server, new_url_conf);
@@ -2694,7 +2698,9 @@ static const char *filesection(cmd_parms *cmd, void *mconfig, const char *arg)
 
     if (r) {
         conf->refs = apr_array_make(cmd->pool, 8, sizeof(char *));
-        ap_regname(r, conf->refs, AP_REG_MATCH, 1);
+        if (ap_regname(r, conf->refs, AP_REG_MATCH, 1) < 0) {
+            return "Error processing regex captures";
+        }
     }
 
     ap_add_file_conf(cmd->pool, (core_dir_config *)mconfig, new_file_conf);

diff --git a/server/util_pcre.c b/server/util_pcre.c
index 0a9dc50112deff7587efa2a60a024fee52d8fef3..46e82112a58fa03d41122846c5ecb91ac4fb3d55 100644 (file)
--- a/server/util_pcre.c
+++ b/server/util_pcre.c
@@ -521,7 +521,16 @@ AP_DECLARE(int) ap_regname(const ap_regex_t *preg,
 
     for (i = 0; i < namecount; i++) {
         const char *offset = nametable + i * nameentrysize;
-        int capture = ((offset[0] << 8) + offset[1]);
+        int capture = (((unsigned char)offset[0] << 8) + (unsigned char)offset[1]);
+        
+        /* Sanity check: reject unreasonably large capture group numbers.
+         * PCRE allows up to 65535 groups, but such large numbers would
+         * cause excessive memory allocation. Limit to a reasonable maximum.
+         */
+        if (capture > 1024) {
+            return -1;
+        }
+        
         while (names->nelts <= capture) {
             apr_array_push(names);
         }