aboutsummaryrefslogtreecommitdiffstats
path: root/main/apache2/CVE-2011-3607.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/apache2/CVE-2011-3607.patch')
-rw-r--r--main/apache2/CVE-2011-3607.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/main/apache2/CVE-2011-3607.patch b/main/apache2/CVE-2011-3607.patch
new file mode 100644
index 0000000000..3ccbfbc481
--- /dev/null
+++ b/main/apache2/CVE-2011-3607.patch
@@ -0,0 +1,32 @@
+--- 2.2.x/server/util.c 2012/01/04 19:42:04 1227279
++++ 2.2.x/server/util.c 2012/01/04 19:45:22 1227280
+@@ -82,6 +82,8 @@
+ #define IS_SLASH(s) (s == '/')
+ #endif
+
++/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
++#define UTIL_SIZE_MAX (~((apr_size_t)0))
+
+ /*
+ * Examine a field value (such as a media-/content-type) string and return
+@@ -366,7 +368,7 @@
+ char *dest, *dst;
+ char c;
+ size_t no;
+- int len;
++ apr_size_t len;
+
+ if (!source)
+ return NULL;
+@@ -391,6 +393,11 @@
+ len++;
+ }
+ else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
++ "integer overflow or out of memory condition." );
++ return NULL;
++ }
+ len += pmatch[no].rm_eo - pmatch[no].rm_so;
+ }
+