Do proper length checks in the expression scanner. This allows to remove the

8K length limit for expressions. Strings/Regexs in an expression are still
limited to 8K, though.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1157362 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index 5730ebf3655a70a4dc225484382c5aa23535cb4c..5e3586e4190020ba8517eac80684da628483b30a 100644 (file)
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -318,15 +318,6 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_expr_lookup_default;
     ctx.at_start    = 1;
 
-
-    /*
-     * Be sure to avoid overflows in the scanner. In practice the input length
-     * will be limited by the config file parser, anyway.
-     * XXX: The scanner really should do proper buffer overflow checks
-     */
-    if (ctx.inputlen >= MAX_STRING_LEN)
-        return "Expression too long";
-
     ap_expr_yylex_init(&ctx.scanner);
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);

diff --git a/server/util_expr_parse.y b/server/util_expr_parse.y
index 59dea8aa88c9a05f4bb76dd732853984cffc2db9..6ba19dd9c46556a4115701abb4521934a02fcd3e 100644 (file)
--- a/server/util_expr_parse.y
+++ b/server/util_expr_parse.y
@@ -152,6 +152,7 @@ words     : word                         { $$ = ap_expr_make(op_ListElement, $1,
 
 string    : string strpart               { $$ = ap_expr_make(op_Concat, $1, $2, ctx); }
           | strpart                      { $$ = $1; }
+          | T_ERROR                      { YYABORT; }
           ;
 
 strpart   : T_STRING                     { $$ = ap_expr_make(op_String, $1, NULL, ctx); }

diff --git a/server/util_expr_scan.l b/server/util_expr_scan.l
index 607af1407356daf318a99d42e5daa82e80d64799..513236a940a7861e7c4741fea687cd27689deb4c 100644 (file)
--- a/server/util_expr_scan.l
+++ b/server/util_expr_scan.l
@@ -60,12 +60,18 @@
 
 #define YY_EXTRA_TYPE ap_expr_parse_ctx_t*
 
-#define PERROR(msg) yyextra->error2 = msg ; return T_ERROR;
+#define PERROR(msg) do { yyextra->error2 = msg ; return T_ERROR; } while (0)
 
 #define str_ptr     (yyextra->scan_ptr)
 #define str_buf     (yyextra->scan_buf)
 #define str_del     (yyextra->scan_del)
 
+#define STR_APPEND(c) do {                          \
+        *str_ptr++ = (c);                           \
+        if (str_ptr >= str_buf + sizeof(str_buf))   \
+            PERROR("String too long");              \
+    } while (0)
+
 %}
 
 
@@ -126,7 +132,7 @@
         }
     }
     else {
-        *str_ptr++ = yytext[0];
+        STR_APPEND(yytext[0]);
     }
 }
 <str,var,vararg>\n {
@@ -156,20 +162,18 @@
         PERROR("Escape sequence out of bound");
     }
     else {
-        *str_ptr++ = result;
+        STR_APPEND(result);
     }
 }
 <str,vararg>\\[0-9]+ {
     PERROR("Bad escape sequence");
 }
-<str,vararg>\\n { *str_ptr++ = '\n'; }
-<str,vararg>\\r { *str_ptr++ = '\r'; }
-<str,vararg>\\t { *str_ptr++ = '\t'; }
-<str,vararg>\\b { *str_ptr++ = '\b'; }
-<str,vararg>\\f { *str_ptr++ = '\f'; }
-<str,vararg>\\(.|\n) {
-    *str_ptr++ = yytext[1];
-}
+<str,vararg>\\n      { STR_APPEND('\n'); }
+<str,vararg>\\r      { STR_APPEND('\r'); }
+<str,vararg>\\t      { STR_APPEND('\t'); }
+<str,vararg>\\b      { STR_APPEND('\b'); }
+<str,vararg>\\f      { STR_APPEND('\f'); }
+<str,vararg>\\(.|\n) { STR_APPEND(yytext[1]); }
 
  /* regexp backref inside string/arg */
 <str,vararg>[$][0-9] {
@@ -189,8 +193,10 @@
 
 <str,vararg>[^\\\n"'%}$]+ {
     char *cp = yytext;
-    while (*cp != '\0')
-        *str_ptr++ = *cp++;
+    while (*cp != '\0') {
+        STR_APPEND(*cp);
+        cp++;
+    }
 }
 
  /* variable inside string/arg */
@@ -210,11 +216,11 @@
 }
 
 <vararg>[%$] {
-     *str_ptr++ = yytext[0];
+     STR_APPEND(yytext[0]);
 }
 
 <str>[%}$] {
-     *str_ptr++ = yytext[0];
+     STR_APPEND(yytext[0]);
 }
 
 %\{ {
@@ -286,6 +292,8 @@
     }
     else {
         *regex_ptr++ = yytext[0];
+        if (regex_ptr >= regex_buf + sizeof(regex_buf))
+            PERROR("Regexp too long");
     }
 }
 <regex_flags>i {