You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/08/16 14:30:06 UTC

svn commit: r1892380 - in /httpd/httpd/branches/2.4.x: ./ server/util.c

Author: icing
Date: Mon Aug 16 14:30:06 2021
New Revision: 1892380

URL: http://svn.apache.org/viewvc?rev=1892380&view=rev
Log:
Merge 1892185,1892207 from trunk:

 *) core: ap_timeout_parameter_parse UBI fuzz fix followup


Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/server/util.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1892185,1892207

Modified: httpd/httpd/branches/2.4.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util.c?rev=1892380&r1=1892379&r2=1892380&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util.c (original)
+++ httpd/httpd/branches/2.4.x/server/util.c Mon Aug 16 14:30:06 2021
@@ -2589,6 +2589,7 @@ AP_DECLARE(char *) ap_append_pid(apr_poo
  * in timeout_parameter.
  * @return Status value indicating whether the parsing was successful or not.
  */
+#define CHECK_OVERFLOW(a, b) if (a > b) return APR_EGENERAL
 AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
                                                const char *timeout_parameter,
                                                apr_interval_time_t *timeout,
@@ -2611,26 +2612,30 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     }
 
     if (tout < 0) { 
-        return APR_ERANGE;
+        return APR_EGENERAL;
     }
 
     switch (*time_str) {
         /* Time is in seconds */
     case 's':
+        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
         check = apr_time_from_sec(tout);
         break;
-    case 'h':
         /* Time is in hours */
+    case 'h':
+        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
         check = apr_time_from_sec(tout * 3600);
         break;
     case 'm':
         switch (*(++time_str)) {
         /* Time is in milliseconds */
         case 's':
-            check = tout * 1000;
+            CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
+            check = apr_time_from_msec(tout);
             break;
         /* Time is in minutes */
         case 'i':
+            CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
             check = apr_time_from_sec(tout * 60);
             break;
         default:
@@ -2640,12 +2645,11 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     default:
         return APR_EGENERAL;
     }
-    if (check > APR_INT64_MAX || check < tout) { 
-        return APR_ERANGE;
-    }
-    *timeout = (apr_interval_time_t) check;
+
+    *timeout = (apr_interval_time_t)check;
     return APR_SUCCESS;
 }
+#undef CHECK_OVERFLOW
 
 AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
 {