You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/08/10 08:59:48 UTC

svn commit: r1892173 - in /httpd/httpd/branches/2.4.x: ./ server/util.c

Author: icing
Date: Tue Aug 10 08:59:48 2021
New Revision: 1892173

URL: http://svn.apache.org/viewvc?rev=1892173&view=rev
Log:
Merge of 1892038,1892063 from trunk:

  *) core: avoid signed integer overflow under fuzzing in
     ap_timeout_parameter_parse


Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/server/util.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1892038,1892063

Modified: httpd/httpd/branches/2.4.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util.c?rev=1892173&r1=1892172&r2=1892173&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util.c (original)
+++ httpd/httpd/branches/2.4.x/server/util.c Tue Aug 10 08:59:48 2021
@@ -2597,6 +2597,7 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     char *endp;
     const char *time_str;
     apr_int64_t tout;
+    apr_uint64_t check;
 
     tout = apr_strtoi64(timeout_parameter, &endp, 10);
     if (errno) {
@@ -2609,24 +2610,28 @@ AP_DECLARE(apr_status_t) ap_timeout_para
         time_str = endp;
     }
 
+    if (tout < 0) { 
+        return APR_ERANGE;
+    }
+
     switch (*time_str) {
         /* Time is in seconds */
     case 's':
-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout);
+        check = apr_time_from_sec(tout);
         break;
     case 'h':
         /* Time is in hours */
-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600);
+        check = apr_time_from_sec(tout * 3600);
         break;
     case 'm':
         switch (*(++time_str)) {
         /* Time is in milliseconds */
         case 's':
-            *timeout = (apr_interval_time_t) tout * 1000;
+            check = tout * 1000;
             break;
         /* Time is in minutes */
         case 'i':
-            *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60);
+            check = apr_time_from_sec(tout * 60);
             break;
         default:
             return APR_EGENERAL;
@@ -2635,6 +2640,10 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     default:
         return APR_EGENERAL;
     }
+    if (check > APR_INT64_MAX || check < tout) { 
+        return APR_ERANGE;
+    }
+    *timeout = (apr_interval_time_t) check;
     return APR_SUCCESS;
 }