From: Joe Orton Date: Fri, 5 Jun 2026 09:36:25 +0000 (+0000) Subject: * modules/filters/mod_substitute.c (do_pattmatch): X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=541dc008b38079dc71ef663d4dc9f272a71ce50c;p=thirdparty%2Fapache%2Fhttpd.git * modules/filters/mod_substitute.c (do_pattmatch): Improve bounds checking for line length validation. Submitted by: metsw24-max Github: closes #624 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935001 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c index 19819b8f23..65ca5f95d0 100644 --- a/modules/filters/mod_substitute.c +++ b/modules/filters/mod_substitute.c @@ -239,7 +239,9 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb, * are constanting allocing space and copying * strings. */ - if (vb.strlen + len + replen > cfg->max_line_length) + if (vb.strlen > cfg->max_line_length + || len > cfg->max_line_length - vb.strlen + || replen > cfg->max_line_length - vb.strlen - len) return APR_ENOMEM; ap_varbuf_strmemcat(&vb, buff, len); ap_varbuf_strmemcat(&vb, replacement, replen); @@ -251,7 +253,7 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb, * Check if we still have space for this string and * the replacement string. */ - if (space_left < len + replen) + if (len > space_left || replen > space_left - len) return APR_ENOMEM; space_left -= len + replen; /* @@ -338,7 +340,8 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb, /* Note that the last param in ap_varbuf_regsub below * must stay positive. If it gets 0, it would mean * unlimited space available. */ - if (vb.strlen + regm[0].rm_so >= cfg->max_line_length) + if (vb.strlen >= cfg->max_line_length + || (apr_size_t)regm[0].rm_so > cfg->max_line_length - vb.strlen) return APR_ENOMEM; /* copy bytes before the match */ if (regm[0].rm_so > 0)