Improve error detection when decompressing

author Rainer Jung <rjung@apache.org>

Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)

committer Rainer Jung <rjung@apache.org>

Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)
author Rainer Jung <rjung@apache.org>
Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)
committer Rainer Jung <rjung@apache.org>
Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number

index b8c6595ce323a7d22039d66589775aedeb9b2e2b..a385b0c6e25128668301c6db194a76282f36e815 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2485
+2486
diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c

index 963f18341d625f5ef132ca4472d78ceef7e7a152..43ae858380da7b74d1c4daec13e5ff8f34e6b458 100644 (file)
--- a/modules/filters/mod_deflate.c
+++ b/modules/filters/mod_deflate.c
@@ -1096,6 +1096,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
              }
              if (zRC == Z_STREAM_END) {
                  apr_bucket *tmp_heap;
+                apr_size_t avail;
  
                  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01393)
                                "Zlib: Inflated %ld to %ld : URL %s",
@@ -1110,8 +1111,10 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                  APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, tmp_heap);
                  ctx->stream.avail_out = c->bufferSize;
  
+                avail = ctx->stream.avail_in;
+
                  /* Is the remaining 8 bytes already in the avail stream? */
-                if (ctx->stream.avail_in >= 8) {
+                if (avail >= 8) {
                      unsigned long compCRC, compLen;
                      compCRC = getLong(ctx->stream.next_in);
                      if (ctx->crc != compCRC) {
@@ -1143,6 +1146,13 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                  inflateEnd(&ctx->stream);
  
                  ctx->done = 1;
+
+                /* Did we have trailing data behind the closing 8 bytes? */
+                if (avail > 8) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02485)
+                                  "Encountered extra data after compressed data");
+                    return APR_EGENERAL;
+                }
              }
  
          }
author	Rainer Jung <rjung@apache.org>
	Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)
committer	Rainer Jung <rjung@apache.org>
	Sat, 13 Jul 2013 11:04:58 +0000 (11:04 +0000)
docs/log-message-tags/next-number		patch \| blob \| history
modules/filters/mod_deflate.c		patch \| blob \| history