You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by gb...@apache.org on 2023/03/28 21:12:47 UTC

svn commit: r1908772 - /httpd/httpd/trunk/server/util_expr_eval.c

Author: gbechis
Date: Tue Mar 28 21:12:47 2023
New Revision: 1908772

URL: http://svn.apache.org/viewvc?rev=1908772&view=rev
Log:
Fix a possible null pointer dereference in ap_expr_parse()

In ap_expr_parse(), ap_expr_yylex_init() will return 1 on failure,
and ctx.scanner will remain NULL. However the return value of
ap_expr_yylex_init() is not checked, and there is a dereference of
ctx.scanner in following function ap_expr_yyset_extra(),
which may lead to NULL pointer dereference.

Fix this bug by adding return value check of ap_expr_yylex_init.

Submitted by: Zhou Qingyang <zh...@umn.edu>

Github: closes #308

Modified:
    httpd/httpd/trunk/server/util_expr_eval.c

Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1908772&r1=1908771&r2=1908772&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Tue Mar 28 21:12:47 2023
@@ -592,7 +592,10 @@ AP_DECLARE(const char *) ap_expr_parse(a
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_expr_lookup_default;
     ctx.at_start    = 1;
 
-    ap_expr_yylex_init(&ctx.scanner);
+    rc = ap_expr_yylex_init(&ctx.scanner);
+    if (rc)
+        return "ap_expr_yylex_init error";
+
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);
     ap_expr_yylex_destroy(ctx.scanner);