From 71e93ff17b9464e5bfc275c76190b4efc9640b0c Mon Sep 17 00:00:00 2001
From: Christophe Jaillet <jailletc36@apache.org>
Date: Fri, 13 Mar 2015 07:21:10 +0000
Subject: [PATCH] Avoid a potential integer underflow in the lock timeout value
 sent back to a client. The answer to a LOCK request could be an extremly
 large integer if the time needed to lock the resource was longer that the
 requested timeout given in the LOCK request. In such a case, we now answer
 "Second-0".  PR55420

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1666361 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                      |  7 +++++++
 modules/dav/main/util_lock.c | 14 ++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3290d62bbb..0222887db0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,13 @@ Changes with Apache 2.5.0
      to a local URL-path with the INCLUDES filter active, introduced
      in 2.4.11. PR 57531. [Yann Ylavic]
 
+  *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+     back to a client. The answer to a LOCK request could be an extremly large
+     integer if the time needed to lock the resource was longer that the
+     requested timeout given in the LOCK request. In such a case, we now answer
+     "Second-0".  PR55420
+     [Christophe Jaillet]
+
   *) mod_ssl: Fix possible crash when loading server certificate constraints.
      PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
 
diff --git a/modules/dav/main/util_lock.c b/modules/dav/main/util_lock.c
index 6ff70efbe2..1b3a647982 100644
--- a/modules/dav/main/util_lock.c
+++ b/modules/dav/main/util_lock.c
@@ -133,8 +133,18 @@ DAV_DECLARE(const char *) dav_lock_get_activelock(request_rec *r,
         }
         else {
             time_t now = time(NULL);
-            apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now));
-            dav_buffer_append(p, pbuf, tmp);
+            
+            /*
+            ** Check if the timeout is not, for any reason, already elapsed.
+            ** (e.g., because of a large collection, or disk under heavy load...)
+             */
+            if (now >= lock->timeout) {
+                dav_buffer_append(p, pbuf, "Second-0");
+            }
+            else {
+                apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now));
+                dav_buffer_append(p, pbuf, tmp);
+            }
         }
 
         dav_buffer_append(p, pbuf,
-- 
2.40.0