httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r1634522 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS modules/filters/mod_substitute.c
Date Mon, 27 Oct 2014 12:42:37 GMT
Author: jim
Date: Mon Oct 27 12:42:37 2014
New Revision: 1634522

URL: http://svn.apache.org/r1634522
Log:
Merge r1628104, r1628918 from trunk:

mod_substitute: Fix memory limitation in case of
regexp plus flatten.

The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.


Add CHANGES for r1628104.
(mod_substitue: Fix memory limitation in case of
regexp plus flatten.)

Submitted by: rjung
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/filters/mod_substitute.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1628104,1628918

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1634522&r1=1634521&r2=1634522&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Oct 27 12:42:37 2014
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.11
 
+  *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+     [Rainer Jung]
+  
   *) mod_proxy: Truncated character worker names are no longer fatal
      errors. PR53218. [Jim Jagielski]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1634522&r1=1634521&r2=1634522&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Oct 27 12:42:37 2014
@@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_substitute: Fix memory limitation in case of regexp plus flatten.
-     trunk patch: http://svn.apache.org/r1628104
-                  http://svn.apache.org/r1628918 (CHANGES)
-     2.4.x patch: trunk works
-     +1: rjung, covener, jim
-
    * mod_substitute: Make maximum line length configurable.
      trunk patch: http://svn.apache.org/r1628919
                   http://svn.apache.org/r1628950 (docs, adjust "compatibility")

Modified: httpd/httpd/branches/2.4.x/modules/filters/mod_substitute.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/filters/mod_substitute.c?rev=1634522&r1=1634521&r2=1634522&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/filters/mod_substitute.c (original)
+++ httpd/httpd/branches/2.4.x/modules/filters/mod_substitute.c Mon Oct 27 12:42:37 2014
@@ -235,9 +235,11 @@ static apr_status_t do_pattmatch(ap_filt
                         have_match = 1;
                         if (script->flatten && !force_quick) {
                             /* copy bytes before the match */
+                            if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+                                return APR_ENOMEM;
                             if (regm[0].rm_so > 0)
                                 ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
-                            /* add replacement string */
+                            /* add replacement string, last argument is unsigned! */
                             rv = ap_varbuf_regsub(&vb, script->replacement, pos,
                                                   AP_MAX_REG_MATCH, regm,
                                                   AP_SUBST_MAX_LINE_LENGTH - vb.strlen);



Mime
View raw message