Attachment 36489 Details for Bug 63265 – patch adding checks to apr_bucket_read return value

[patch] patch adding checks to apr_bucket_read return value

apache-2.4.38-fix-mod-deflate-using-uninitialized-len-value-from-apr-bucket-read.patch (text/plain), 2.47 KB, created by Sylvain Rochet on 2019-03-16 16:02:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sylvain Rochet

Created: 2019-03-16 16:02:57 UTC

Size: 2.47 KB

patch

obsolete

>diff -Nru a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c
>--- a/modules/filters/mod_deflate.c	2018-10-10 17:40:35.000000000 +0200
>+++ b/modules/filters/mod_deflate.c	2019-03-16 16:24:50.126848429 +0100
>@@ -533,6 +533,7 @@
>     apr_size_t len = 0, blen;
>     const char *data;
>     deflate_filter_config *c;
>+    apr_status_t rv;
> 
>     /* Do nothing if asked to filter nothing. */
>     if (APR_BRIGADE_EMPTY(bb)) {
>@@ -930,14 +931,18 @@
>         }
> 
>         /* read */
>-        apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>-        if (!len) {
>+        rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+        if (rv != APR_SUCCESS || !len) {
>             apr_bucket_delete(e);
>             continue;
>         }
>         if (len > APR_INT32_MAX) {
>             apr_bucket_split(e, APR_INT32_MAX);
>-            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+            rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+            if (rv != APR_SUCCESS) {
>+                apr_bucket_delete(e);
>+                continue;
>+            }
>         }
> 
>         /* This crc32 function is from zlib. */
>@@ -1315,13 +1320,16 @@
>             }
> 
>             /* read */
>-            apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
>-            if (!len) {
>+            rv = apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
>+            if (rv != APR_SUCCESS || !len) {
>                 continue;
>             }
>             if (len > APR_INT32_MAX) {
>                 apr_bucket_split(bkt, APR_INT32_MAX);
>-                apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
>+                rv = apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ);
>+                if (rv != APR_SUCCESS) {
>+                    continue;
>+                }
>             }
> 
>             if (ctx->zlib_flags) {
>@@ -1703,14 +1711,18 @@
>         }
> 
>         /* read */
>-        apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>-        if (!len) {
>+        rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+        if (rv != APR_SUCCESS || !len) {
>             apr_bucket_delete(e);
>             continue;
>         }
>         if (len > APR_INT32_MAX) {
>             apr_bucket_split(e, APR_INT32_MAX);
>-            apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+            rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
>+            if (rv != APR_SUCCESS) {
>+                apr_bucket_delete(e);
>+                continue;
>+            }
>         }
> 
>         /* first bucket contains zlib header */

Actions: View | Diff

Attachments on bug 63265: 36489