Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 84383 invoked from network); 18 Jul 2009 23:12:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Jul 2009 23:12:24 -0000 Received: (qmail 78365 invoked by uid 500); 18 Jul 2009 23:13:29 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 78287 invoked by uid 500); 18 Jul 2009 23:13:29 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 78278 invoked by uid 99); 18 Jul 2009 23:13:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Jul 2009 23:13:29 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Jul 2009 23:13:19 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 7D9F9238886C; Sat, 18 Jul 2009 23:12:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r795445 - in /httpd/httpd/trunk: include/ap_expr.h modules/filters/mod_include.c server/util_expr.c Date: Sat, 18 Jul 2009 23:12:59 -0000 To: cvs@httpd.apache.org From: niq@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090718231259.7D9F9238886C@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: niq Date: Sat Jul 18 23:12:58 2009 New Revision: 795445 URL: http://svn.apache.org/viewvc?rev=795445&view=rev Log: Fix mod_include potential segfault checking backref from unmatched regexp http://markmail.org/message/jlc7t5edsjujbe37 Patch by rpluem, lars, niq Modified: httpd/httpd/trunk/include/ap_expr.h httpd/httpd/trunk/modules/filters/mod_include.c httpd/httpd/trunk/server/util_expr.c Modified: httpd/httpd/trunk/include/ap_expr.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_expr.h?rev=795445&r1=795444&r2=795445&view=diff ============================================================================== --- httpd/httpd/trunk/include/ap_expr.h (original) +++ httpd/httpd/trunk/include/ap_expr.h Sat Jul 18 23:12:58 2009 @@ -73,6 +73,7 @@ const char *rexp; apr_size_t nsub; ap_regmatch_t match[AP_MAX_REG_MATCH]; + int have_match; } backref_t; typedef const char *(*string_func_t)(request_rec*, const char*); Modified: httpd/httpd/trunk/modules/filters/mod_include.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_include.c?rev=795445&r1=795444&r2=795445&view=diff ============================================================================== --- httpd/httpd/trunk/modules/filters/mod_include.c (original) +++ httpd/httpd/trunk/modules/filters/mod_include.c Sat Jul 18 23:12:58 2009 @@ -605,25 +605,30 @@ * The choice of returning NULL strings on not-found, * v.s. empty strings on an empty match is deliberate. */ - if (!re) { + if (!re || !re->have_match) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "regex capture $%" APR_SIZE_T_FMT " refers to no regex in %s", idx, r->filename); return NULL; } - else { - if (re->nsub < idx || idx >= AP_MAX_REG_MATCH) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "regex capture $%" APR_SIZE_T_FMT - " is out of range (last regex was: '%s') in %s", - idx, re->rexp, r->filename); - return NULL; - } - - if (re->match[idx].rm_so < 0 || re->match[idx].rm_eo < 0) { - return NULL; - } + else if (re->match[idx]rm_so == re->match[idx].rm_eo) { + return NULL; + } + else if (re->match[idx].rm_so < 0 || re->match[idx].rm_eo < 0) { + /* I don't think this can happen if have_match is true. + * But let's not risk a regression by dropping this + */ + return NULL; + } + else if (re->nsub < idx || idx >= AP_MAX_REG_MATCH) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "regex capture $%" APR_SIZE_T_FMT + " is out of range (last regex was: '%s') in %s", + idx, re->rexp, r->filename); + return NULL; + } + else { val = apr_pstrmemdup(ctx->dpool, re->source + re->match[idx].rm_so, re->match[idx].rm_eo - re->match[idx].rm_so); } Modified: httpd/httpd/trunk/server/util_expr.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr.c?rev=795445&r1=795444&r2=795445&view=diff ============================================================================== --- httpd/httpd/trunk/server/util_expr.c (original) +++ httpd/httpd/trunk/server/util_expr.c Sat Jul 18 23:12:58 2009 @@ -265,7 +265,6 @@ { ap_regex_t *compiled; backref_t *re = reptr ? *reptr : NULL; - int rc; compiled = ap_pregcomp(r->pool, rexp, AP_REG_EXTENDED); if (!compiled) { @@ -284,10 +283,11 @@ re->source = apr_pstrdup(r->pool, string); re->rexp = apr_pstrdup(r->pool, rexp); re->nsub = compiled->re_nsub; - rc = !ap_regexec(compiled, string, AP_MAX_REG_MATCH, re->match, 0); + re->have_match = !ap_regexec(compiled, string, AP_MAX_REG_MATCH, + re->match, 0); ap_pregfree(r->pool, compiled); - return rc; + return re->have_match; } static int get_ptoken(apr_pool_t *pool, const char **parse, token_t *token,