Fix integer overflow in ap_pregsub. This can be triggered e.g.

author Stefan Fritsch <sf@apache.org>

Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)

committer Stefan Fritsch <sf@apache.org>

Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)
author Stefan Fritsch <sf@apache.org>
Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)
committer Stefan Fritsch <sf@apache.org>
Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)
diff --git a/CHANGES b/CHANGES

index 2a107b8f077ced4c62370dad2eb60a810eaf976a..356ec0606c79174f0d29d7e8df147778fa964644 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,10 @@ Changes with Apache 2.3.15
       PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
       <lowprio20 gmail.com>]
  
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
    *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
       LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
       and htaccess where the configuration would have been ignored.
diff --git a/server/util.c b/server/util.c

index 10d3e35b20d0b65ec696018f44f61f42086b8139..7fda13cc668d0a042092db1e88816f82703abf77 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool_t *p, char **result,
              len++;
          }
          else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+                return APR_ENOMEM;
              len += pmatch[no].rm_eo - pmatch[no].rm_so;
          }
author	Stefan Fritsch <sf@apache.org>
	Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Mon, 7 Nov 2011 21:13:40 +0000 (21:13 +0000)
CHANGES		patch \| blob \| history
server/util.c		patch \| blob \| history