httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ron...@hyperreal.org
Subject cvs commit: apache-1.3/src/main util.c
Date Sat, 10 Apr 1999 23:21:24 GMT
ronald      99/04/10 16:21:23

  Modified:    src      CHANGES
               src/main util.c
  Log:
  ap_uuencode was not allocating space for terminating '\0'
  ap_uudecode was running past the beginning of the buffer for empty input
  strings, and past the end of the buffer for certain (invalid) input
  
  PR: 3422
  Reviewed by:	Dean Gaudet
  
  Revision  Changes    Path
  1.1307    +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1306
  retrieving revision 1.1307
  diff -u -r1.1306 -r1.1307
  --- CHANGES	1999/04/10 21:51:01	1.1306
  +++ CHANGES	1999/04/10 23:21:21	1.1307
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3.7
   
  +  *) Fix buffer overflows in ap_uuencode and ap_uudecode pointed out
  +     by "Peter 'Luna' Altberg <peter@altberg.nu>" and PR#3422
  +     [Peter 'Luna' Altberg <peter@altberg.nu>, Ronald Tschalär]
  +
     *) Make {Set,Unset,Pass}Env per-directory instead of per-server.
        [Ben Laurie]
   
  
  
  
  1.157     +23 -15    apache-1.3/src/main/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/util.c,v
  retrieving revision 1.156
  retrieving revision 1.157
  diff -u -r1.156 -r1.157
  --- util.c	1999/03/20 15:41:07	1.156
  +++ util.c	1999/04/10 23:21:23	1.157
  @@ -1962,7 +1962,7 @@
   
       bufin = (const unsigned char *) bufcoded;
   
  -    while (nprbytes > 0) {
  +    while (nprbytes > 4) {
   	*(bufout++) =
   	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
   	*(bufout++) =
  @@ -1973,13 +1973,15 @@
   	nprbytes -= 4;
       }
   
  -    if (nprbytes & 03) {
  -	if (pr2six[bufin[-2]] > 63)
  -	    nbytesdecoded -= 2;
  -	else
  -	    nbytesdecoded -= 1;
  +    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
  +    if (nprbytes > 1) {
  +	*(bufout++) =
  +	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
       }
  -    bufplain[nbytesdecoded] = '\0';
  +    if (nprbytes > 2) {
  +	*(bufout++) =
  +	    (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
  +    }
   #else /*CHARSET_EBCDIC*/
       bufin = (const unsigned char *) bufcoded;
       while (pr2six[os_toascii[(unsigned char)*(bufin++)]] <= 63);
  @@ -1991,7 +1993,7 @@
   
       bufin = (const unsigned char *) bufcoded;
   
  -    while (nprbytes > 0) {
  +    while (nprbytes > 4) {
   	*(bufout++) = os_toebcdic[
   	    (unsigned char) (pr2six[os_toascii[*bufin]] << 2 | pr2six[os_toascii[bufin[1]]]
>> 4)];
   	*(bufout++) = os_toebcdic[
  @@ -2002,14 +2004,20 @@
   	nprbytes -= 4;
       }
   
  -    if (nprbytes & 03) {
  -	if (pr2six[os_toascii[bufin[-2]]] > 63)
  -	    nbytesdecoded -= 2;
  -	else
  -	    nbytesdecoded -= 1;
  +    /* Note: (nprbytes == 1) would be an error, so just ingore that case */
  +    if (nprbytes > 1) {
  +	*(bufout++) = os_toebcdic[
  +	    (unsigned char) (pr2six[os_toascii[*bufin]] << 2 | pr2six[os_toascii[bufin[1]]]
>> 4)];
       }
  -    bufplain[nbytesdecoded] = '\0';
  +    if (nprbytes > 2) {
  +	*(bufout++) = os_toebcdic[
  +	    (unsigned char) (pr2six[os_toascii[bufin[1]]] << 4 | pr2six[os_toascii[bufin[2]]]
>> 2)];
  +    }
   #endif /*CHARSET_EBCDIC*/
  +
  +    nbytesdecoded -= (4 - nprbytes) & 3;
  +    bufplain[nbytesdecoded] = '\0';
  +
       return bufplain;
   }
   
  @@ -2020,7 +2028,7 @@
   { 
       int i, len = strlen(string); 
       char *p; 
  -    char *encoded = (char *) ap_palloc(a, (len+2) / 3 * 4); 
  +    char *encoded = (char *) ap_palloc(a, ((len+2) / 3 * 4) + 1); 
    
       p = encoded; 
   #ifndef CHARSET_EBCDIC
  
  
  

Mime
View raw message