You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2014/09/28 23:38:34 UTC
svn commit: r1628104 - /httpd/httpd/trunk/modules/filters/mod_substitute.c
Author: rjung
Date: Sun Sep 28 21:38:33 2014
New Revision: 1628104
URL: http://svn.apache.org/r1628104
Log:
mod_substitute: Fix memory limitation in case of
regexp plus flatten.
The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.
Modified:
httpd/httpd/trunk/modules/filters/mod_substitute.c
Modified: httpd/httpd/trunk/modules/filters/mod_substitute.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_substitute.c?rev=1628104&r1=1628103&r2=1628104&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/filters/mod_substitute.c (original)
+++ httpd/httpd/trunk/modules/filters/mod_substitute.c Sun Sep 28 21:38:33 2014
@@ -235,9 +235,11 @@ static apr_status_t do_pattmatch(ap_filt
have_match = 1;
if (script->flatten && !force_quick) {
/* copy bytes before the match */
+ if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+ return APR_ENOMEM;
if (regm[0].rm_so > 0)
ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
- /* add replacement string */
+ /* add replacement string, last argument is unsigned! */
rv = ap_varbuf_regsub(&vb, script->replacement, pos,
AP_MAX_REG_MATCH, regm,
AP_SUBST_MAX_LINE_LENGTH - vb.strlen);