Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1537810EF5 for ; Thu, 27 Feb 2014 18:15:32 +0000 (UTC) Received: (qmail 17093 invoked by uid 500); 27 Feb 2014 18:15:29 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 17040 invoked by uid 500); 27 Feb 2014 18:15:29 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 16999 invoked by uid 99); 27 Feb 2014 18:15:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Feb 2014 18:15:27 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Feb 2014 18:15:25 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 7209523888E4; Thu, 27 Feb 2014 18:15:04 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1572671 - /httpd/httpd/trunk/modules/filters/mod_deflate.c Date: Thu, 27 Feb 2014 18:15:04 -0000 To: cvs@httpd.apache.org From: ylavic@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140227181504.7209523888E4@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: ylavic Date: Thu Feb 27 18:15:03 2014 New Revision: 1572671 URL: http://svn.apache.org/r1572671 Log: Commit 6 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters. PR 46146 (patches from duplicated PR 55666) Ignore empty buckets and split buckets longer than INT_MAX (since zlib uses 32-bit ints only) in all filters. Modified: httpd/httpd/trunk/modules/filters/mod_deflate.c Modified: httpd/httpd/trunk/modules/filters/mod_deflate.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c?rev=1572671&r1=1572670&r2=1572671&view=diff ============================================================================== --- httpd/httpd/trunk/modules/filters/mod_deflate.c (original) +++ httpd/httpd/trunk/modules/filters/mod_deflate.c Thu Feb 27 18:15:03 2014 @@ -49,6 +49,8 @@ #include "zlib.h" +#include /* for INT_MAX */ + static const char deflateFilterName[] = "DEFLATE"; module AP_MODULE_DECLARE_DATA deflate_module; @@ -843,6 +845,14 @@ static apr_status_t deflate_out_filter(a /* read */ apr_bucket_read(e, &data, &len, APR_BLOCK_READ); + if (!len) { + apr_bucket_delete(e); + continue; + } + if (len > INT_MAX) { + apr_bucket_split(e, INT_MAX); + apr_bucket_read(e, &data, &len, APR_BLOCK_READ); + } /* This crc32 function is from zlib. */ ctx->crc = crc32(ctx->crc, (const Bytef *)data, len); @@ -1187,6 +1197,13 @@ static apr_status_t deflate_in_filter(ap /* read */ apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); + if (!len) { + continue; + } + if (len > INT_MAX) { + apr_bucket_split(bkt, INT_MAX); + apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); + } if (ctx->zlib_flags) { rv = consume_zlib_flags(ctx, &data, &len); @@ -1200,7 +1217,7 @@ static apr_status_t deflate_in_filter(ap /* pass through zlib inflate. */ ctx->stream.next_in = (unsigned char *)data; - ctx->stream.avail_in = len; + ctx->stream.avail_in = (int)len; zRC = Z_OK; @@ -1533,6 +1550,14 @@ static apr_status_t inflate_out_filter(a /* read */ apr_bucket_read(e, &data, &len, APR_BLOCK_READ); + if (!len) { + apr_bucket_delete(e); + continue; + } + if (len > INT_MAX) { + apr_bucket_split(e, INT_MAX); + apr_bucket_read(e, &data, &len, APR_BLOCK_READ); + } /* first bucket contains zlib header */ if (ctx->header_len < sizeof(ctx->header)) {