diff options
| author | Stefan Fritsch <sf@apache.org> | 2011-11-07 22:13:40 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@apache.org> | 2011-11-07 22:13:40 +0100 |
| commit | fd962221ea30b998581edb12177fd3328195bec6 (patch) | |
| tree | b3ee99ad0b07f39f5a88db7c9de107f57e76a03d /server | |
| parent | No need to zero memory that we will overwrite anyway (diff) | |
| download | apache2-fd962221ea30b998581edb12177fd3328195bec6.tar.xz apache2-fd962221ea30b998581edb12177fd3328195bec6.zip | |
Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess
CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1198940 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'server')
| -rw-r--r-- | server/util.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/server/util.c b/server/util.c index 10d3e35b20..7fda13cc66 100644 --- a/server/util.c +++ b/server/util.c @@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool_t *p, char **result, len++; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { + if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) + return APR_ENOMEM; len += pmatch[no].rm_eo - pmatch[no].rm_so; } |