with mod_setenvif via a malicious .htaccess
CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1198940 13f79535-47bb-0310-9956-
ffa450edef68
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
<lowprio20 gmail.com>]
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+ with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
LuaHookQuickHandler) from being configured in <Directory>, <Files>,
and htaccess where the configuration would have been ignored.
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+ return APR_ENOMEM;
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}