httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Drahtmueller <dr...@suse.de>
Subject CVE-2011-3607, int overflow ap_pregsub()
Date Tue, 15 Nov 2011 14:12:40 GMT
Hi there,

Revision 1198940 attempts to fix an integer overflow in ap_pregsub() in 
server/util.c:394. The patch is:

--- httpd/httpd/trunk/server/util.c	2011/11/07 21:09:41	1198939
+++ httpd/httpd/trunk/server/util.c	2011/11/07 21:13:40	1198940
@@ -411,6 +411,8 @@
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+                return APR_ENOMEM;
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }


, and appears wrong, because, ap_pregsub() is

AP_DECLARE(char *) ap_pregsub(...)

This would require something along the lines of (proposal):


         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+               ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+                       "integer overflow or out of memory condition." );
+                return NULL;
+           }
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }

     }

     dest = dst = apr_pcalloc(p, len + 1);

+    if(!dest)
+       return NULL;
+
+
     /* Now actually fill in the string */


...or simply without the error logging.

Thoughts?
Thanks,
Roman.

Mime
View raw message