httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1178053 - in /httpd/httpd/branches/2.2.x: CHANGES modules/filters/mod_substitute.c
Date Sat, 01 Oct 2011 17:51:37 GMT
Author: rjung
Date: Sat Oct  1 17:51:37 2011
New Revision: 1178053

URL: http://svn.apache.org/viewvc?rev=1178053&view=rev
Log:
Fix buffer overrun in mod_substitute.
No need to fix trunk, the code is no
longer present there.

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1178053&r1=1178052&r2=1178053&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Oct  1 17:51:37 2011
@@ -8,6 +8,8 @@ Changes with Apache 2.2.22
   *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
      of "0").  [Rainer Jung]
 
+  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
+
 Changes with Apache 2.2.21
 
   *) SECURITY: CVE-2011-3348 (cve.mitre.org)

Modified: httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c?rev=1178053&r1=1178052&r2=1178053&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c (original)
+++ httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c Sat Oct  1 17:51:37 2011
@@ -213,7 +213,7 @@ static void do_pattmatch(ap_filter_t *f,
                      * we've allocated and only re-alloc when we need it.
                      * NOTE: this screams for a macro.
                      */
-                    if (!scratch || (bytes > (fbytes + 1))) {
+                    if (!scratch || (bytes + 1 > fbytes)) {
                         fbytes = bytes + 1;
                         scratch = apr_palloc(tpool, fbytes);
                     }



Mime
View raw message