You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2011/10/01 19:51:37 UTC
svn commit: r1178053 - in /httpd/httpd/branches/2.2.x: CHANGES
modules/filters/mod_substitute.c
Author: rjung
Date: Sat Oct 1 17:51:37 2011
New Revision: 1178053
URL: http://svn.apache.org/viewvc?rev=1178053&view=rev
Log:
Fix buffer overrun in mod_substitute.
No need to fix trunk, the code is no
longer present there.
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1178053&r1=1178052&r2=1178053&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Oct 1 17:51:37 2011
@@ -8,6 +8,8 @@ Changes with Apache 2.2.22
*) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
+ *) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
+
Changes with Apache 2.2.21
*) SECURITY: CVE-2011-3348 (cve.mitre.org)
Modified: httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c?rev=1178053&r1=1178052&r2=1178053&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c (original)
+++ httpd/httpd/branches/2.2.x/modules/filters/mod_substitute.c Sat Oct 1 17:51:37 2011
@@ -213,7 +213,7 @@ static void do_pattmatch(ap_filter_t *f,
* we've allocated and only re-alloc when we need it.
* NOTE: this screams for a macro.
*/
- if (!scratch || (bytes > (fbytes + 1))) {
+ if (!scratch || (bytes + 1 > fbytes)) {
fbytes = bytes + 1;
scratch = apr_palloc(tpool, fbytes);
}