From 53d0129701c6ace3562411e49ed69cbd5f1885ab Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Sat, 20 Nov 2010 20:26:37 +0000
Subject: [PATCH] Check input lenght to avoid potential overflows

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1037321 13f79535-47bb-0310-9956-ffa450edef68
---
 server/util_expr_eval.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index edb1b7d7f7..21690504b6 100644
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -298,7 +298,7 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.inputlen = strlen(expr);
     ctx.inputptr = ctx.inputbuf;
     ctx.expr     = NULL;
-    ctx.error    = NULL;        /* generic bison error message (usually not very useful) */
+    ctx.error    = NULL;        /* generic bison error message (XXX: usually not very useful, should be axed) */
     ctx.error2   = NULL;        /* additional error message */
     ctx.flags    = info->flags;
     ctx.scan_del    = '\0';
@@ -306,6 +306,15 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
     ctx.scan_ptr    = ctx.scan_buf;
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_run_expr_lookup;
 
+
+    /*
+     * Be sure to avoid overflows in the scanner. In practice the input length
+     * will be limited by the config file parser, anyway.
+     * XXX: The scanner really should do proper buffer overflow checks
+     */
+    if (ctx.inputlen >= MAX_STRING_LEN)
+        return "Expression too long";
+
     ap_expr_yylex_init(&ctx.scanner);
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);
-- 
2.40.0