diff options
Diffstat (limited to 'main/apache2/CVE-2011-3607.patch')
| -rw-r--r-- | main/apache2/CVE-2011-3607.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/main/apache2/CVE-2011-3607.patch b/main/apache2/CVE-2011-3607.patch new file mode 100644 index 0000000000..3ccbfbc481 --- /dev/null +++ b/main/apache2/CVE-2011-3607.patch @@ -0,0 +1,32 @@ +--- 2.2.x/server/util.c 2012/01/04 19:42:04 1227279 ++++ 2.2.x/server/util.c 2012/01/04 19:45:22 1227280 +@@ -82,6 +82,8 @@ + #define IS_SLASH(s) (s == '/') + #endif + ++/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */ ++#define UTIL_SIZE_MAX (~((apr_size_t)0)) + + /* + * Examine a field value (such as a media-/content-type) string and return +@@ -366,7 +368,7 @@ + char *dest, *dst; + char c; + size_t no; +- int len; ++ apr_size_t len; + + if (!source) + return NULL; +@@ -391,6 +393,11 @@ + len++; + } + else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { ++ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, ++ "integer overflow or out of memory condition." ); ++ return NULL; ++ } + len += pmatch[no].rm_eo - pmatch[no].rm_so; + } + |