You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2022/05/24 08:55:16 UTC
svn commit: r1901196 - in /httpd/httpd/branches/2.4.x: ./ CHANGES server/util.c
Author: ylavic
Date: Tue May 24 08:55:16 2022
New Revision: 1901196
URL: http://svn.apache.org/viewvc?rev=1901196&view=rev
Log:
*) core: make ap_escape_quotes() work correctly on strings
with more than MAX_INT/2 characters, counting quotes double.
Credit to <ge...@zippenhop.com> for finding this.
*) core: improved checks in ap_escape_quotes() for
extra long strings (or resulting strings) that
exceed ptrdiff_t ranges.
Merge r1899609, r1899905 from trunk.
Reviewed by: icing, rpluem, ylavic
Submitted by: icing, ylavic
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/server/util.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1899609,1899905
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1901196&r1=1901195&r2=1901196&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue May 24 08:55:16 2022
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.54
+ *) core: make ap_escape_quotes() work correctly on strings
+ with more than MAX_INT/2 characters, counting quotes double.
+ Credit to <ge...@zippenhop.com> for finding this.
+ [Stefan Eissing]
+
*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
Modified: httpd/httpd/branches/2.4.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util.c?rev=1901196&r1=1901195&r2=1901196&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util.c (original)
+++ httpd/httpd/branches/2.4.x/server/util.c Tue May 24 08:55:16 2022
@@ -2535,7 +2535,7 @@ AP_DECLARE(void) ap_content_type_tolower
*/
AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
{
- int newlen = 0;
+ apr_size_t size, extra = 0;
const char *inchr = instring;
char *outchr, *outstring;
@@ -2544,9 +2544,8 @@ AP_DECLARE(char *) ap_escape_quotes(apr_
* string up by an extra byte each time we find an unescaped ".
*/
while (*inchr != '\0') {
- newlen++;
if (*inchr == '"') {
- newlen++;
+ extra++;
}
/*
* If we find a slosh, and it's not the last byte in the string,
@@ -2554,11 +2553,32 @@ AP_DECLARE(char *) ap_escape_quotes(apr_
*/
else if ((*inchr == '\\') && (inchr[1] != '\0')) {
inchr++;
- newlen++;
}
inchr++;
}
- outstring = apr_palloc(p, newlen + 1);
+
+ if (!extra) {
+ return apr_pstrdup(p, instring);
+ }
+
+ /* How large will the string become, once we escaped all the quotes?
+ * The tricky cases are
+ * - an `instring` that is already longer than `ptrdiff_t`
+ * can hold (which is an undefined case in C, as C defines ptrdiff_t as
+ * a signed difference between pointers into the same array and one index
+ * beyond).
+ * - an `instring` that, including the `extra` chars we want to add, becomes
+ * even larger than apr_size_t can handle.
+ * Since this function was not designed to ever return NULL for failure, we
+ * can only trigger a hard assertion failure. It seems more a programming
+ * mistake (or failure to verify the input causing this) that leads to this
+ * situation.
+ */
+ ap_assert(inchr - instring > 0);
+ size = ((apr_size_t)(inchr - instring)) + 1;
+ ap_assert(size + extra > size);
+
+ outstring = apr_palloc(p, size + extra);
inchr = instring;
outchr = outstring;
/*