From: Stefan Fritsch <sf@apache.org>
Date: Sat, 20 Nov 2010 20:26:37 +0000 (+0000)
Subject: Check input lenght to avoid potential overflows
X-Git-Tag: 2.3.9~22
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=53d0129701c6ace3562411e49ed69cbd5f1885ab;p=apache

Check input lenght to avoid potential overflows


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1037321 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index edb1b7d7f7..21690504b6 100644
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -298,7 +298,7 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.inputlen = strlen(expr);
     ctx.inputptr = ctx.inputbuf;
     ctx.expr     = NULL;
-    ctx.error    = NULL;        /* generic bison error message (usually not very useful) */
+    ctx.error    = NULL;        /* generic bison error message (XXX: usually not very useful, should be axed) */
     ctx.error2   = NULL;        /* additional error message */
     ctx.flags    = info->flags;
     ctx.scan_del    = '\0';
@@ -306,6 +306,15 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.scan_ptr    = ctx.scan_buf;
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_run_expr_lookup;
 
+
+    /*
+     * Be sure to avoid overflows in the scanner. In practice the input length
+     * will be limited by the config file parser, anyway.
+     * XXX: The scanner really should do proper buffer overflow checks
+     */
+    if (ctx.inputlen >= MAX_STRING_LEN)
+        return "Expression too long";
+
     ap_expr_yylex_init(&ctx.scanner);
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);