util.c: ensure all TEST_CHAR loops stop at the null terminator

In the aftermath of CVE-2017-7668, decouple the business logic ("is NULL
a T_HTTP_CTRL") from the postcondition ("must not go past the end of the
string"). The NULL-byte classification in the TEST_CHAR table may change
in the future.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1799375 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/util.c b/server/util.c
index 4018b9f0ed591c1e43b7f2673d8303f78e72e7f7..3c001511be6fdddc545fa7cd37671cb0ff0c5a3c 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -1526,7 +1526,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p,
     while (!string_end) {
         const unsigned char c = (unsigned char)*cur;
 
-        if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP)) {
+        if (c && !TEST_CHAR(c, T_HTTP_TOKEN_STOP)) {
             /* Non-separator character; we are finished with leading
              * whitespace. We must never have encountered any trailing
              * whitespace before the delimiter (comma) */
@@ -1600,7 +1600,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p,
  */
 AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr)
 {
-    for ( ; !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ;
+    for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ;
 
     return ptr;
 }
@@ -1610,7 +1610,7 @@ AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr)
  */
 AP_DECLARE(const char *) ap_scan_http_token(const char *ptr)
 {
-    for ( ; !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ;
+    for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ;
 
     return ptr;
 }
@@ -1620,7 +1620,7 @@ AP_DECLARE(const char *) ap_scan_http_token(const char *ptr)
  */
 AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr)
 {
-    for ( ; TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ;
+    for ( ; *ptr && TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ;
 
     return ptr;
 }