From 51b43a3fbc79da8e1d3a17f2d260e10c406e59f7 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Mon, 27 Oct 2014 12:42:37 +0000
Subject: [PATCH] Merge r1628104, r1628918 from trunk:

mod_substitute: Fix memory limitation in case of
regexp plus flatten.

The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.


Add CHANGES for r1628104.
(mod_substitue: Fix memory limitation in case of
regexp plus flatten.)

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634522 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                          | 3 +++
 STATUS                           | 6 ------
 modules/filters/mod_substitute.c | 4 +++-
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 580b99b09b..a9250e0676 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.11
 
+  *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+     [Rainer Jung]
+  
   *) mod_proxy: Truncated character worker names are no longer fatal
      errors. PR53218. [Jim Jagielski]
 
diff --git a/STATUS b/STATUS
index 858b1774c0..8f947edca9 100644
--- a/STATUS
+++ b/STATUS
@@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_substitute: Fix memory limitation in case of regexp plus flatten.
-     trunk patch: http://svn.apache.org/r1628104
-                  http://svn.apache.org/r1628918 (CHANGES)
-     2.4.x patch: trunk works
-     +1: rjung, covener, jim
-
    * mod_substitute: Make maximum line length configurable.
      trunk patch: http://svn.apache.org/r1628919
                   http://svn.apache.org/r1628950 (docs, adjust "compatibility")
diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
index 15cd8ee413..0a8037b5e9 100644
--- a/modules/filters/mod_substitute.c
+++ b/modules/filters/mod_substitute.c
@@ -235,9 +235,11 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
                         have_match = 1;
                         if (script->flatten && !force_quick) {
                             /* copy bytes before the match */
+                            if (vb.strlen + regm[0].rm_so >= AP_SUBST_MAX_LINE_LENGTH)
+                                return APR_ENOMEM;
                             if (regm[0].rm_so > 0)
                                 ap_varbuf_strmemcat(&vb, pos, regm[0].rm_so);
-                            /* add replacement string */
+                            /* add replacement string, last argument is unsigned! */
                             rv = ap_varbuf_regsub(&vb, script->replacement, pos,
                                                   AP_MAX_REG_MATCH, regm,
                                                   AP_SUBST_MAX_LINE_LENGTH - vb.strlen);
-- 
2.50.1