From: Jacob Champion <jchampion@apache.org>
Date: Tue, 20 Jun 2017 23:08:19 +0000 (+0000)
Subject: util.c: ensure all TEST_CHAR loops stop at the null terminator
X-Git-Tag: 2.5.0-alpha~368
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2a99e0920b29cd6baa36dd12c8c24193c0e76f75;p=apache

util.c: ensure all TEST_CHAR loops stop at the null terminator

In the aftermath of CVE-2017-7668, decouple the business logic ("is NULL
a T_HTTP_CTRL") from the postcondition ("must not go past the end of the
string"). The NULL-byte classification in the TEST_CHAR table may change
in the future.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1799375 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/util.c b/server/util.c
index 4018b9f0ed..3c001511be 100644
--- a/server/util.c
+++ b/server/util.c
@@ -1526,7 +1526,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p,
     while (!string_end) {
         const unsigned char c = (unsigned char)*cur;
 
-        if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP)) {
+        if (c && !TEST_CHAR(c, T_HTTP_TOKEN_STOP)) {
             /* Non-separator character; we are finished with leading
              * whitespace. We must never have encountered any trailing
              * whitespace before the delimiter (comma) */
@@ -1600,7 +1600,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p,
  */
 AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr)
 {
-    for ( ; !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ;
+    for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ;
 
     return ptr;
 }
@@ -1610,7 +1610,7 @@ AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr)
  */
 AP_DECLARE(const char *) ap_scan_http_token(const char *ptr)
 {
-    for ( ; !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ;
+    for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ;
 
     return ptr;
 }
@@ -1620,7 +1620,7 @@ AP_DECLARE(const char *) ap_scan_http_token(const char *ptr)
  */
 AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr)
 {
-    for ( ; TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ;
+    for ( ; *ptr && TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ;
 
     return ptr;
 }