diff options
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | server/util.c | 2 |
2 files changed, 6 insertions, 0 deletions
@@ -12,6 +12,10 @@ Changes with Apache 2.3.15 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, <lowprio20 gmail.com>] + *) SECURITY: CVE-2011-3607 (cve.mitre.org) + core: Fix integer overflow in ap_pregsub. This can be triggered e.g. + with mod_setenvif via a malicious .htaccess. [Stefan Fritsch] + *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and LuaHookQuickHandler) from being configured in <Directory>, <Files>, and htaccess where the configuration would have been ignored. diff --git a/server/util.c b/server/util.c index 10d3e35b20..7fda13cc66 100644 --- a/server/util.c +++ b/server/util.c @@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool_t *p, char **result, len++; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { + if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) + return APR_ENOMEM; len += pmatch[no].rm_eo - pmatch[no].rm_so; } |