ASF Bugzilla – Attachment 36489 Details for
Bug 63265
does not check apr_bucket_read return value and then use uninitialized returned len value
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch adding checks to apr_bucket_read return value
apache-2.4.38-fix-mod-deflate-using-uninitialized-len-value-from-apr-bucket-read.patch (text/plain), 2.47 KB, created by
Sylvain Rochet
on 2019-03-16 16:02:57 UTC
(
hide
)
Description:
patch adding checks to apr_bucket_read return value
Filename:
MIME Type:
Creator:
Sylvain Rochet
Created:
2019-03-16 16:02:57 UTC
Size:
2.47 KB
patch
obsolete
>diff -Nru a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c >--- a/modules/filters/mod_deflate.c 2018-10-10 17:40:35.000000000 +0200 >+++ b/modules/filters/mod_deflate.c 2019-03-16 16:24:50.126848429 +0100 >@@ -533,6 +533,7 @@ > apr_size_t len = 0, blen; > const char *data; > deflate_filter_config *c; >+ apr_status_t rv; > > /* Do nothing if asked to filter nothing. */ > if (APR_BRIGADE_EMPTY(bb)) { >@@ -930,14 +931,18 @@ > } > > /* read */ >- apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >- if (!len) { >+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS || !len) { > apr_bucket_delete(e); > continue; > } > if (len > APR_INT32_MAX) { > apr_bucket_split(e, APR_INT32_MAX); >- apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS) { >+ apr_bucket_delete(e); >+ continue; >+ } > } > > /* This crc32 function is from zlib. */ >@@ -1315,13 +1320,16 @@ > } > > /* read */ >- apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); >- if (!len) { >+ rv = apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS || !len) { > continue; > } > if (len > APR_INT32_MAX) { > apr_bucket_split(bkt, APR_INT32_MAX); >- apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); >+ rv = apr_bucket_read(bkt, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS) { >+ continue; >+ } > } > > if (ctx->zlib_flags) { >@@ -1703,14 +1711,18 @@ > } > > /* read */ >- apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >- if (!len) { >+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS || !len) { > apr_bucket_delete(e); > continue; > } > if (len > APR_INT32_MAX) { > apr_bucket_split(e, APR_INT32_MAX); >- apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS) { >+ apr_bucket_delete(e); >+ continue; >+ } > } > > /* first bucket contains zlib header */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 63265
: 36489