You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2002/12/09 21:21:00 UTC

cvs commit: apache-1.3/src/ap ap_snprintf.c

jim         2002/12/09 12:21:00

  Modified:    src      CHANGES
               src/ap   ap_snprintf.c
  Log:
  Get rid of somewhat long-standing issue regarding large values
  of precision causing a buffer to be clobbered in the vformatter
  function (eg: ap_snprintf)
  
  Revision  Changes    Path
  1.1866    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1865
  retrieving revision 1.1866
  diff -u -r1.1865 -r1.1866
  --- CHANGES	9 Dec 2002 17:23:58 -0000	1.1865
  +++ CHANGES	9 Dec 2002 20:21:00 -0000	1.1866
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.28
   
  +  *) Prevent obscenely large values of precision in ap_vformatter
  +     from clobbering a buffer. [Sander Striker, Jim Jagielski]
  +
     *) NetWare: implemented ap_os_default_port() to resolve the 
        correct default port based on the request method. This fixes
        a URL reconstruction problem on a redirect. 
  
  
  
  1.53      +10 -8     apache-1.3/src/ap/ap_snprintf.c
  
  Index: ap_snprintf.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/ap/ap_snprintf.c,v
  retrieving revision 1.52
  retrieving revision 1.53
  diff -u -r1.52 -r1.53
  --- ap_snprintf.c	7 Sep 2002 22:57:05 -0000	1.52
  +++ ap_snprintf.c	9 Dec 2002 20:21:00 -0000	1.53
  @@ -317,15 +317,21 @@
    * This macro does zero padding so that the precision
    * requirement is satisfied. The padding is done by
    * adding '0's to the left of the string that is going
  - * to be printed.
  + * to be printed. We don't allow precision to be large
  + * enough that we continue past the start of s.
  + *
  + * NOTE: this makes use of the magic info that s is
  + * always based on num_buf with a size of NUM_BUF_SIZE.
    */
   #define FIX_PRECISION( adjust, precision, s, s_len )	\
  -    if ( adjust )					\
  -	while ( s_len < precision )			\
  +    if ( adjust ) {					\
  +        int p = precision < NUM_BUF_SIZE - 1 ? precision : NUM_BUF_SIZE - 1; \
  +	while ( s_len < p )				\
   	{						\
   	    *--s = '0' ;				\
   	    s_len++ ;					\
  -	}
  +	}						\
  +    }
   
   /*
    * Macro that does padding. The padding is done by printing
  @@ -758,10 +764,6 @@
   
   		/*
   		 * Check if a precision was specified
  -		 *
  -		 * XXX: an unreasonable amount of precision may be specified
  -		 * resulting in overflow of num_buf. Currently we
  -		 * ignore this possibility.
   		 */
   		if (*fmt == '.') {
   		    adjust_precision = YES;