httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Max Kellermann <>
Subject Bugreport: Segmentation fault when using wrong percent escapes
Date Thu, 11 Dec 2003 11:30:09 GMT

I found a bug in apreq2 v2.02-dev (which is still in CVS HEAD): when
you decode a query string which uses an invalid percent escape
(e.g. "test=foo%d"), apreq segfaults in function apr_table_addn.

This is because apreq_decode_param leaves param-> with a NULL
value when it finds an invalid sequence. It also sets param->v.status
to APR_BADARG. Calling function apreq_parse_query_string does not
check param->v.status and tries to call apr_table_addn with NULL key.

The following patch fixes this bug:

--- apreq_params.c      (revision 62)
+++ apreq_params.c      (working copy)
@@ -276,7 +276,7 @@
                 param = apreq_decode_param(pool, start, nlen, vlen);
-                if (param)
+                if (param && param->v.status == APR_SUCCESS)
                     apr_table_addn(t, param->, param->;
                     return APR_BADARG;

(you might prefer to return param->v.status on error....)

Max Kellermann

View raw message