httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1527362 - in /httpd/mod_fcgid/trunk: CHANGES-FCGID modules/fcgid/fcgid_bucket.c
Date Sun, 29 Sep 2013 17:40:47 GMT
Author: trawick
Date: Sun Sep 29 17:40:47 2013
New Revision: 1527362

URL: http://svn.apache.org/r1527362
Log:
SECURITY: CVE-2013-4365 (cve.mitre.org)
Fix possible heap buffer overwrite.

Submitted by: Robert Matthews <rob tigertech.com>

Modified:
    httpd/mod_fcgid/trunk/CHANGES-FCGID
    httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c

Modified: httpd/mod_fcgid/trunk/CHANGES-FCGID
URL: http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/CHANGES-FCGID?rev=1527362&r1=1527361&r2=1527362&view=diff
==============================================================================
--- httpd/mod_fcgid/trunk/CHANGES-FCGID [utf8] (original)
+++ httpd/mod_fcgid/trunk/CHANGES-FCGID [utf8] Sun Sep 29 17:40:47 2013
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with mod_fcgid 2.3.8
 
+  *) SECURITY: CVE-2013-4365 (cve.mitre.org)
+     Fix possible heap buffer overwrite.  Reported and solved by:
+     [Robert Matthews <rob tigertech.com>]
+
   *) Add experimental cmake-based build system for Windows.  [Jeff Trawick]
 
   *) Correctly parse quotation and escaped spaces in FcgidWrapper and the

Modified: httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c
URL: http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c?rev=1527362&r1=1527361&r2=1527362&view=diff
==============================================================================
--- httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c (original)
+++ httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c Sun Sep 29 17:40:47 2013
@@ -112,10 +112,12 @@ static apr_status_t fcgid_header_bucket_
     if (header.type == FCGI_STDERR) {
         char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b->list);
         char *line;
+        apr_size_t hasput;
 
         memset(logbuf, 0, APR_BUCKET_BUFF_SIZE);
 
         hasread = 0;
+        hasput = 0;
         while (hasread < bodysize) {
             char *buffer;
             apr_size_t bufferlen, canput, willput;
@@ -130,9 +132,10 @@ static apr_status_t fcgid_header_bucket_
 
             canput = fcgid_min(bufferlen, bodysize - hasread);
             willput =
-                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1);
-            memcpy(logbuf + hasread, buffer, willput);
+                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1);
+            memcpy(logbuf + hasput, buffer, willput);
             hasread += canput;
+            hasput += willput;
 
             /* Ignore the "canput" bytes */
             fcgid_ignore_bytes(ctx, canput);



Mime
View raw message