You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2021/08/10 18:49:20 UTC

svn commit: r1892185 - /httpd/httpd/trunk/server/util.c

Author: jailletc36
Date: Tue Aug 10 18:49:20 2021
New Revision: 1892185

URL: http://svn.apache.org/viewvc?rev=1892185&view=rev
Log:
Follow up to 1892038, 1892063.

Improve fix to please a fuzzer which reports:
   util.c:2713:26: runtime error: signed integer overflow:
   9999999999999999 * 1000 cannot be represented in type 'long'

Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.

While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.

Modified:
    httpd/httpd/trunk/server/util.c

Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1892185&r1=1892184&r2=1892185&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Tue Aug 10 18:49:20 2021
@@ -2668,6 +2668,7 @@ AP_DECLARE(char *) ap_append_pid(apr_poo
  * in timeout_parameter.
  * @return Status value indicating whether the parsing was successful or not.
  */
+#define CHECK_OVERFLOW(a, b) if (a > b) return APR_ERANGE
 AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
                                                const char *timeout_parameter,
                                                apr_interval_time_t *timeout,
@@ -2697,11 +2698,13 @@ AP_DECLARE(apr_status_t) ap_timeout_para
         /* Time is in seconds */
     case 's':
     case 'S':
+        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
         check = apr_time_from_sec(tout);
         break;
+        /* Time is in hours */
     case 'h':
     case 'H':
-        /* Time is in hours */
+        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
         check = apr_time_from_sec(tout * 3600);
         break;
     case 'm':
@@ -2710,11 +2713,13 @@ AP_DECLARE(apr_status_t) ap_timeout_para
         /* Time is in milliseconds */
         case 's':
         case 'S':
-            check = tout * 1000;
+            CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
+            check = apr_time_from_msec(tout);
             break;
         /* Time is in minutes */
         case 'i':
         case 'I':
+            CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
             check = apr_time_from_sec(tout * 60);
             break;
         default:
@@ -2724,12 +2729,11 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     default:
         return APR_EGENERAL;
     }
-    if (check > APR_INT64_MAX || check < tout) { 
-        return APR_ERANGE;
-    }
-    *timeout = (apr_interval_time_t) check;
+
+    *timeout = (apr_interval_time_t)check;
     return APR_SUCCESS;
 }
+#undef CHECK_OVERFLOW
 
 AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
 {