From: Stefan Fritsch Date: Mon, 7 Nov 2011 20:53:12 +0000 (+0000) Subject: Also do length check if the last line is not LF terminated X-Git-Tag: 2.3.15~43 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b46ba1c36e3cd36a250d28e1867d85a2243cdeae;p=apache Also do length check if the last line is not LF terminated git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1198926 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c index e7a1c77b83..67f5ccfda0 100644 --- a/modules/filters/mod_substitute.c +++ b/modules/filters/mod_substitute.c @@ -184,6 +184,9 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb, buff += len; } if (have_match && script->flatten && !force_quick) { + /* XXX: we should check for AP_MAX_BUCKETS here and + * XXX: call ap_pass_brigade accordingly + */ char *copy = ap_varbuf_pdup(pool, &vb, NULL, 0, buff, bytes, &len); tmp_b = apr_bucket_pool_create(copy, len, pool, @@ -346,6 +349,10 @@ static apr_status_t substitute_filter(ap_filter_t *f, apr_bucket_brigade *bb) &fbytes, ctx->tpool); if (rv != APR_SUCCESS) goto err; + if (fbytes > AP_SUBST_MAX_LINE_LENGTH) { + rv = APR_ENOMEM; + goto err; + } tmp_b = apr_bucket_transient_create(bflat, fbytes, f->r->connection->bucket_alloc); rv = do_pattmatch(f, tmp_b, ctx->pattbb, ctx->tpool);