Fix potential memory leaks in mod_deflate on malformed input data.

PR: 16046

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98689 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 7c6f5f40525f93bb3f777462a62b1c8f5a45e6d8..efd09d4d5ba71d92b410552d35eb90770b9b5c59 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Fix potential memory leaks in mod_deflate on malformed data.  PR 16046.
+     [Justin Erenkrantz]
+
   *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
      [Justin Erenkrantz]
 

diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c
index def3412ec0a06a6f70cf47a680a5b3a3bc8fede8..404fe410154c122c0358290709de9968e30efb91 100644 (file)
--- a/modules/filters/mod_deflate.c
+++ b/modules/filters/mod_deflate.c
@@ -610,7 +610,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         if (rv != APR_SUCCESS) {
             return rv;
         }
-      
+
         len = 10; 
         rv = apr_brigade_flatten(ctx->bb, deflate_hdr, &len); 
         if (rv != APR_SUCCESS) {
@@ -633,6 +633,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
         if (zRC != Z_OK) {
             f->ctx = NULL;
+            inflateEnd(&ctx->stream);
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "unable to init Zlib: "
                           "inflateInit2 returned %d: URL %s",
@@ -652,6 +653,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
 
         if (rv != APR_SUCCESS) {
+            /* What about APR_EAGAIN errors? */
+            inflateEnd(&ctx->stream);
             return rv;
         }
 
@@ -661,6 +664,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
             /* If we actually see the EOS, that means we screwed up! */
             if (APR_BUCKET_IS_EOS(bkt)) {
+                inflateEnd(&ctx->stream);
                 return APR_EGENERAL;
             }
 
@@ -668,6 +672,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                 apr_bucket *tmp_heap;
                 zRC = inflate(&(ctx->stream), Z_SYNC_FLUSH);
                 if (zRC != Z_OK) {
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
 
@@ -715,6 +720,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                 }
 
                 if (zRC != Z_OK) {
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
             }
@@ -739,22 +745,25 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                     unsigned long compCRC, compLen;
                     compCRC = getLong(ctx->stream.next_in);
                     if (ctx->crc != compCRC) {
+                        inflateEnd(&ctx->stream);
                         return APR_EGENERAL;
                     }
                     ctx->stream.next_in += 4;
                     compLen = getLong(ctx->stream.next_in);
                     if (ctx->stream.total_out != compLen) {
+                        inflateEnd(&ctx->stream);
                         return APR_EGENERAL;
                     }
                 }
                 else {
                     /* FIXME: We need to grab the 8 verification bytes
                      * from the wire! */
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
 
                 inflateEnd(&ctx->stream);
-    
+
                 eos = apr_bucket_eos_create(f->c->bucket_alloc);
                 APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, eos); 
                 break;