You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2022/04/16 10:09:59 UTC

svn commit: r1899905 - /httpd/httpd/trunk/server/util.c

Author: icing
Date: Sat Apr 16 10:09:59 2022
New Revision: 1899905

URL: http://svn.apache.org/viewvc?rev=1899905&view=rev
Log:
  *) core: improved checks in ap_escape_quotes() for
     extra long strings (or resulting strings) that
     exceed ptrdiff_t ranges.
     [Yann Ylavic, Stefan Eissing]


Modified:
    httpd/httpd/trunk/server/util.c

Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1899905&r1=1899904&r2=1899905&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Sat Apr 16 10:09:59 2022
@@ -2615,7 +2615,7 @@ AP_DECLARE(void) ap_content_type_tolower
  */
 AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
 {
-    apr_ssize_t extra = 0;
+    apr_size_t size, extra = 0;
     const char *inchr = instring;
     char *outchr, *outstring;
 
@@ -2641,7 +2641,24 @@ AP_DECLARE(char *) ap_escape_quotes(apr_
         return apr_pstrdup(p, instring);
     }
 
-    outstring = apr_palloc(p, (inchr - instring) + extra + 1);
+    /* How large will the string become, once we escaped all the quotes?
+     * The tricky cases are
+     * - an `instring` that is already longer than `ptrdiff_t`
+     *   can hold (which is an undefined case in C, as C defines ptrdiff_t as
+     *   a signed difference between pointers into the same array and one index
+     *   beyond).
+     * - an `instring` that, including the `extra` chars we want to add, becomes
+     *   even larger than apr_size_t can handle.
+     * Since this function was not designed to ever return NULL for failure, we
+     * can only trigger a hard assertion failure. It seems more a programming
+     * mistake (or failure to verify the input causing this) that leads to this
+     * situation.
+     */
+    ap_assert(inchr - instring > 0);
+    size = ((apr_size_t)(inchr - instring)) + 1;
+    ap_assert(size + extra > size);
+
+    outstring = apr_palloc(p, size + extra);
     inchr = instring;
     outchr = outstring;
     /*