From fd962221ea30b998581edb12177fd3328195bec6 Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Mon, 7 Nov 2011 21:13:40 +0000
Subject: [PATCH] Fix integer overflow in ap_pregsub. This can be triggered
 e.g. with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1198940 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES       | 4 ++++
 server/util.c | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/CHANGES b/CHANGES
index 2a107b8f07..356ec0606c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,10 @@ Changes with Apache 2.3.15
      PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
      <lowprio20 gmail.com>]
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
   *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
      LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
      and htaccess where the configuration would have been ignored.
diff --git a/server/util.c b/server/util.c
index 10d3e35b20..7fda13cc66 100644
--- a/server/util.c
+++ b/server/util.c
@@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool_t *p, char **result,
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+                return APR_ENOMEM;
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }
 
-- 
2.40.0