httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yla...@apache.org
Subject svn commit: r1572671 - /httpd/httpd/trunk/modules/filters/mod_deflate.c
Date Thu, 27 Feb 2014 18:15:04 GMT
Author: ylavic
Date: Thu Feb 27 18:15:03 2014
New Revision: 1572671

URL: http://svn.apache.org/r1572671
Log:
Commit 6 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's
output and input filters.
PR 46146 (patches from duplicated PR 55666)

Ignore empty buckets and split buckets longer than INT_MAX (since zlib uses 32-bit ints only)
in all filters.

Modified:
    httpd/httpd/trunk/modules/filters/mod_deflate.c

Modified: httpd/httpd/trunk/modules/filters/mod_deflate.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c?rev=1572671&r1=1572670&r2=1572671&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/filters/mod_deflate.c (original)
+++ httpd/httpd/trunk/modules/filters/mod_deflate.c Thu Feb 27 18:15:03 2014
@@ -49,6 +49,8 @@
 
 #include "zlib.h"
 
+#include <limits.h>     /* for INT_MAX */
+
 static const char deflateFilterName[] = "DEFLATE";
 module AP_MODULE_DECLARE_DATA deflate_module;
 
@@ -843,6 +845,14 @@ static apr_status_t deflate_out_filter(a
 
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        if (!len) {
+            apr_bucket_delete(e);
+            continue;
+        }
+        if (len > INT_MAX) {
+            apr_bucket_split(e, INT_MAX);
+            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        }
 
         /* This crc32 function is from zlib. */
         ctx->crc = crc32(ctx->crc, (const Bytef *)data, len);
@@ -1187,6 +1197,13 @@ static apr_status_t deflate_in_filter(ap
 
             /* read */
             apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
+            if (!len) {
+                continue;
+            }
+            if (len > INT_MAX) {
+                apr_bucket_split(bkt, INT_MAX);
+                apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
+            }
 
             if (ctx->zlib_flags) {
                 rv = consume_zlib_flags(ctx, &data, &len);
@@ -1200,7 +1217,7 @@ static apr_status_t deflate_in_filter(ap
 
             /* pass through zlib inflate. */
             ctx->stream.next_in = (unsigned char *)data;
-            ctx->stream.avail_in = len;
+            ctx->stream.avail_in = (int)len;
 
             zRC = Z_OK;
 
@@ -1533,6 +1550,14 @@ static apr_status_t inflate_out_filter(a
 
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        if (!len) {
+            apr_bucket_delete(e);
+            continue;
+        }
+        if (len > INT_MAX) {
+            apr_bucket_split(e, INT_MAX);
+            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+        }
 
         /* first bucket contains zlib header */
         if (ctx->header_len < sizeof(ctx->header)) {



Mime
View raw message