You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by ni...@apache.org on 2007/09/19 11:19:00 UTC
svn commit: r577214 - in /apr/apr-util/trunk/dbd: apr_dbd_freetds.c apr_dbd_mysql.c apr_dbd_oracle.c

Author: niq
Date: Wed Sep 19 02:18:59 2007
New Revision: 577214

URL: http://svn.apache.org/viewvc?rev=577214&view=rev
Log:
Check we don't dereference memory that doesn't belong to us in
parsing DBDParams.  Not a big issue, because the data can only
come from httpd.conf, not an untrusted source.
Spotted by Rici Lake.

Modified:
    apr/apr-util/trunk/dbd/apr_dbd_freetds.c
    apr/apr-util/trunk/dbd/apr_dbd_mysql.c
    apr/apr-util/trunk/dbd/apr_dbd_oracle.c

Modified: apr/apr-util/trunk/dbd/apr_dbd_freetds.c
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/dbd/apr_dbd_freetds.c?rev=577214&r1=577213&r2=577214&view=diff
==============================================================================
--- apr/apr-util/trunk/dbd/apr_dbd_freetds.c (original)
+++ apr/apr-util/trunk/dbd/apr_dbd_freetds.c Wed Sep 19 02:18:59 2007
@@ -549,6 +549,10 @@
     }
     /* now set login properties */
     for (ptr = strchr(params, '='); ptr; ptr = strchr(ptr, '=')) {
+        /* don't dereference memory that may not belong to us */
+        if (ptr == params) {
+            continue;
+        }
         for (key = ptr-1; isspace(*key); --key);
         klen = 0;
         while (isalpha(*key)) {

Modified: apr/apr-util/trunk/dbd/apr_dbd_mysql.c
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/dbd/apr_dbd_mysql.c?rev=577214&r1=577213&r2=577214&view=diff
==============================================================================
--- apr/apr-util/trunk/dbd/apr_dbd_mysql.c (original)
+++ apr/apr-util/trunk/dbd/apr_dbd_mysql.c Wed Sep 19 02:18:59 2007
@@ -1101,6 +1101,10 @@
         return NULL;
     }
     for (ptr = strchr(params, '='); ptr; ptr = strchr(ptr, '=')) {
+        /* don't dereference memory that may not belong to us */
+        if (ptr == params) {
+            continue;
+        }
         for (key = ptr-1; isspace(*key); --key);
         klen = 0;
         while (isalpha(*key)) {

Modified: apr/apr-util/trunk/dbd/apr_dbd_oracle.c
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/dbd/apr_dbd_oracle.c?rev=577214&r1=577213&r2=577214&view=diff
==============================================================================
--- apr/apr-util/trunk/dbd/apr_dbd_oracle.c (original)
+++ apr/apr-util/trunk/dbd/apr_dbd_oracle.c Wed Sep 19 02:18:59 2007
@@ -466,6 +466,10 @@
 
     /* snitch parsing from the MySQL driver */
     for (ptr = strchr(params, '='); ptr; ptr = strchr(ptr, '=')) {
+        /* don't dereference memory that may not belong to us */
+        if (ptr == params) {
+            continue;
+        }
         for (key = ptr-1; isspace(*key); --key);
         klen = 0;
         while (isalpha(*key)) {