mod_substitute: Fix memory limitation in case of
regexp plus flatten.
The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.
Add CHANGES for r1628104.
(mod_substitue: Fix memory limitation in case of
regexp plus flatten.)
Submitted by: rjung
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1634522 13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.4.11
+ *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+ [Rainer Jung]
+
*) mod_proxy: Truncated character worker names are no longer fatal
errors. PR53218. [Jim Jagielski]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_substitute: Fix memory limitation in case of regexp plus flatten.
- trunk patch: http://svn.apache.org/r1628104
- http://svn.apache.org/r1628918 (CHANGES)
- 2.4.x patch: trunk works
- +1: rjung, covener, jim
-
* mod_substitute: Make maximum line length configurable.
trunk patch: http://svn.apache.org/r1628919
http://svn.apache.org/r1628950 (docs, adjust "compatibility")
have_match = 1;
if (script->flatten && !force_quick) {
/* copy bytes before the match */
+ if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+ return APR_ENOMEM;
if (regm[0].rm_so > 0)
ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
- /* add replacement string */
+ /* add replacement string, last argument is unsigned! */
rv = ap_varbuf_regsub(&vb, script->replacement, pos,
AP_MAX_REG_MATCH, regm,
AP_SUBST_MAX_LINE_LENGTH - vb.strlen);
projects / apache / commitdiff