From: Justin Erenkrantz <jerenkrantz@apache.org>
Date: Mon, 17 Feb 2003 04:46:00 +0000 (+0000)
Subject: Fix potential memory leaks in mod_deflate on malformed input data.
X-Git-Tag: pre_ajp_proxy~2122
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=14c232562c3fbae705a2bbb4f35ca8739460d63a;p=apache

Fix potential memory leaks in mod_deflate on malformed input data.

PR: 16046


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98689 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7c6f5f4052..efd09d4d5b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Fix potential memory leaks in mod_deflate on malformed data.  PR 16046.
+     [Justin Erenkrantz]
+
   *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
      [Justin Erenkrantz]
 
diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c
index def3412ec0..404fe41015 100644
--- a/modules/filters/mod_deflate.c
+++ b/modules/filters/mod_deflate.c
@@ -610,7 +610,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         if (rv != APR_SUCCESS) {
             return rv;
         }
-      
+
         len = 10; 
         rv = apr_brigade_flatten(ctx->bb, deflate_hdr, &len); 
         if (rv != APR_SUCCESS) {
@@ -633,6 +633,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
         if (zRC != Z_OK) {
             f->ctx = NULL;
+            inflateEnd(&ctx->stream);
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "unable to init Zlib: "
                           "inflateInit2 returned %d: URL %s",
@@ -652,6 +653,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
 
         if (rv != APR_SUCCESS) {
+            /* What about APR_EAGAIN errors? */
+            inflateEnd(&ctx->stream);
             return rv;
         }
 
@@ -661,6 +664,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
             /* If we actually see the EOS, that means we screwed up! */
             if (APR_BUCKET_IS_EOS(bkt)) {
+                inflateEnd(&ctx->stream);
                 return APR_EGENERAL;
             }
 
@@ -668,6 +672,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                 apr_bucket *tmp_heap;
                 zRC = inflate(&(ctx->stream), Z_SYNC_FLUSH);
                 if (zRC != Z_OK) {
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
 
@@ -715,6 +720,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                 }
 
                 if (zRC != Z_OK) {
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
             }
@@ -739,22 +745,25 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                     unsigned long compCRC, compLen;
                     compCRC = getLong(ctx->stream.next_in);
                     if (ctx->crc != compCRC) {
+                        inflateEnd(&ctx->stream);
                         return APR_EGENERAL;
                     }
                     ctx->stream.next_in += 4;
                     compLen = getLong(ctx->stream.next_in);
                     if (ctx->stream.total_out != compLen) {
+                        inflateEnd(&ctx->stream);
                         return APR_EGENERAL;
                     }
                 }
                 else {
                     /* FIXME: We need to grab the 8 verification bytes
                      * from the wire! */
+                    inflateEnd(&ctx->stream);
                     return APR_EGENERAL;
                 }
 
                 inflateEnd(&ctx->stream);
-    
+
                 eos = apr_bucket_eos_create(f->c->bucket_alloc);
                 APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, eos); 
                 break;