blob: 3ccbfbc4810d398be7ff175355e4102a9af194d1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
--- 2.2.x/server/util.c 2012/01/04 19:42:04 1227279
+++ 2.2.x/server/util.c 2012/01/04 19:45:22 1227280
@@ -82,6 +82,8 @@
#define IS_SLASH(s) (s == '/')
#endif
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
/*
* Examine a field value (such as a media-/content-type) string and return
@@ -366,7 +368,7 @@
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
@@ -391,6 +393,11 @@
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
|
