rpms / httpd24-httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.34-CVE-2022-23943.patch

c7
  1.   879b175a63ad141d42e1622a906f928015b94f7a
  2.   SOURCES
  3.   httpd-2.4.34-CVE-2022-23943.patch
Blob History Raw
879b17 
diff --git a/modules/filters/libsed.h b/modules/filters/libsed.h
879b17 
index 76cbc0c..0256b1e 100644
879b17 
--- a/modules/filters/libsed.h
879b17 
+++ b/modules/filters/libsed.h
879b17 
@@ -60,7 +60,7 @@ struct sed_label_s {
879b17 
 };
879b17
879b17 
 typedef apr_status_t (sed_err_fn_t)(void *data, const char *error);
879b17 
-typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, int sz);
879b17 
+typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, apr_size_t sz);
879b17
879b17 
 typedef struct sed_commands_s sed_commands_t;
879b17 
 #define NWFILES 11 /* 10 plus one for standard output */
879b17 
@@ -69,7 +69,7 @@ struct sed_commands_s {
879b17 
     sed_err_fn_t *errfn;
879b17 
     void         *data;
879b17
879b17 
-    unsigned     lsize;
879b17 
+    apr_size_t   lsize;
879b17 
     char         *linebuf;
879b17 
     char         *lbend;
879b17 
     const char   *saveq;
879b17 
@@ -116,15 +116,15 @@ struct sed_eval_s {
879b17 
     apr_int64_t    lnum;
879b17 
     void           *fout;
879b17
879b17 
-    unsigned       lsize;
879b17 
+    apr_size_t     lsize;
879b17 
     char           *linebuf;
879b17 
     char           *lspend;
879b17
879b17 
-    unsigned       hsize;
879b17 
+    apr_size_t     hsize;
879b17 
     char           *holdbuf;
879b17 
     char           *hspend;
879b17
879b17 
-    unsigned       gsize;
879b17 
+    apr_size_t     gsize;
879b17 
     char           *genbuf;
879b17 
     char           *lcomend;
879b17
879b17 
@@ -160,7 +160,7 @@ apr_status_t sed_init_eval(sed_eval_t *eval, sed_commands_t *commands,
879b17 
                            sed_err_fn_t *errfn, void *data,
879b17 
                            sed_write_fn_t *writefn, apr_pool_t *p);
879b17 
 apr_status_t sed_reset_eval(sed_eval_t *eval, sed_commands_t *commands, sed_err_fn_t *errfn, void *data);
879b17 
-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout);
879b17 
+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout);
879b17 
 apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout);
879b17 
 apr_status_t sed_finalize_eval(sed_eval_t *eval, void *f);
879b17 
 void sed_destroy_eval(sed_eval_t *eval);
879b17 
diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
879b17 
index 346c210..8595e41 100644
879b17 
--- a/modules/filters/mod_sed.c
879b17 
+++ b/modules/filters/mod_sed.c
879b17 
@@ -51,7 +51,7 @@ typedef struct sed_filter_ctxt
879b17 
     apr_bucket_brigade *bbinp;
879b17 
     char *outbuf;
879b17 
     char *curoutbuf;
879b17 
-    int bufsize;
879b17 
+    apr_size_t bufsize;
879b17 
     apr_pool_t *tpool;
879b17 
     int numbuckets;
879b17 
 } sed_filter_ctxt;
879b17 
@@ -100,7 +100,7 @@ static void alloc_outbuf(sed_filter_ctxt* ctx)
879b17 
 /* append_bucket
879b17 
  * Allocate a new bucket from buf and sz and append to ctx->bb
879b17 
  */
879b17 
-static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
879b17 
+static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, apr_size_t sz)
879b17 
 {
879b17 
     apr_status_t status = APR_SUCCESS;
879b17 
     apr_bucket *b;
879b17 
@@ -133,7 +133,7 @@ static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
879b17 
  */
879b17 
 static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
879b17 
 {
879b17 
-    int size = ctx->curoutbuf - ctx->outbuf;
879b17 
+    apr_size_t size = ctx->curoutbuf - ctx->outbuf;
879b17 
     char *out;
879b17 
     apr_status_t status = APR_SUCCESS;
879b17 
     if ((ctx->outbuf == NULL) || (size <=0))
879b17 
@@ -147,12 +147,12 @@ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
879b17 
 /* This is a call back function. When libsed wants to generate the output,
879b17 
  * this function will be invoked.
879b17 
  */
879b17 
-static apr_status_t sed_write_output(void *dummy, char *buf, int sz)
879b17 
+static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz)
879b17 
 {
879b17 
     /* dummy is basically filter context. Context is passed during invocation
879b17 
      * of sed_eval_buffer
879b17 
      */
879b17 
-    int remainbytes = 0;
879b17 
+    apr_size_t remainbytes = 0;
879b17 
     apr_status_t status = APR_SUCCESS;
879b17 
     sed_filter_ctxt *ctx = (sed_filter_ctxt *) dummy;
879b17 
     if (ctx->outbuf == NULL) {
879b17 
@@ -168,21 +168,29 @@ static apr_status_t sed_write_output(void *dummy, char *buf, int sz)
879b17 
         }
879b17 
         /* buffer is now full */
879b17 
         status = append_bucket(ctx, ctx->outbuf, ctx->bufsize);
879b17 
-        /* old buffer is now used so allocate new buffer */
879b17 
-        alloc_outbuf(ctx);
879b17 
-        /* if size is bigger than the allocated buffer directly add to output
879b17 
-         * brigade */
879b17 
-        if ((status == APR_SUCCESS) && (sz >= ctx->bufsize)) {
879b17 
-            char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
879b17 
-            status = append_bucket(ctx, newbuf, sz);
879b17 
-            /* pool might get clear after append_bucket */
879b17 
-            if (ctx->outbuf == NULL) {
879b17 
+        if (status == APR_SUCCESS) {
879b17 
+            /* if size is bigger than the allocated buffer directly add to output
879b17 
+             * brigade */
879b17 
+            if (sz >= ctx->bufsize) {
879b17 
+                char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
879b17 
+                status = append_bucket(ctx, newbuf, sz);
879b17 
+                if (status == APR_SUCCESS) {
879b17 
+                    /* old buffer is now used so allocate new buffer */
879b17 
+                    alloc_outbuf(ctx);
879b17 
+                }
879b17 
+                else {
879b17 
+                    clear_ctxpool(ctx);
879b17 
+                }
879b17 
+            }
879b17 
+            else {
879b17 
+                /* old buffer is now used so allocate new buffer */
879b17 
                 alloc_outbuf(ctx);
879b17 
+                memcpy(ctx->curoutbuf, buf, sz);
879b17 
+                ctx->curoutbuf += sz;
879b17 
             }
879b17 
         }
879b17 
         else {
879b17 
-            memcpy(ctx->curoutbuf, buf, sz);
879b17 
-            ctx->curoutbuf += sz;
879b17 
+            clear_ctxpool(ctx);
879b17 
         }
879b17 
     }
879b17 
     else {
879b17 
diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
879b17 
index f463ec9..d88a547 100644
879b17 
--- a/modules/filters/sed1.c
879b17 
+++ b/modules/filters/sed1.c
879b17 
@@ -71,7 +71,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
879b17 
 static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2);
879b17 
 static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
879b17 
                             step_vars_storage *step_vars);
879b17 
-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz);
879b17 
+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz);
879b17 
 static apr_status_t arout(sed_eval_t *eval);
879b17
879b17 
 static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
879b17 
@@ -92,11 +92,11 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
879b17 
  * grow_buffer
879b17 
  */
879b17 
 static void grow_buffer(apr_pool_t *pool, char **buffer,
879b17 
-                        char **spend, unsigned int *cursize,
879b17 
-                        unsigned int newsize)
879b17 
+                        char **spend, apr_size_t *cursize,
879b17 
+                        apr_size_t newsize)
879b17 
 {
879b17 
     char* newbuffer = NULL;
879b17 
-    int spendsize = 0;
879b17 
+    apr_size_t spendsize = 0;
879b17 
     if (*cursize >= newsize)
879b17 
         return;
879b17 
     /* Avoid number of times realloc is called. It could cause huge memory
879b17 
@@ -124,7 +124,7 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
879b17 
 /*
879b17 
  * grow_line_buffer
879b17 
  */
879b17 
-static void grow_line_buffer(sed_eval_t *eval, int newsize)
879b17 
+static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
879b17 
 {
879b17 
     grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
879b17 
                 &eval->lsize, newsize);
879b17 
@@ -133,7 +133,7 @@ static void grow_line_buffer(sed_eval_t *eval, int newsize)
879b17 
 /*
879b17 
  * grow_hold_buffer
879b17 
  */
879b17 
-static void grow_hold_buffer(sed_eval_t *eval, int newsize)
879b17 
+static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
879b17 
 {
879b17 
     grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
879b17 
                 &eval->hsize, newsize);
879b17 
@@ -142,7 +142,7 @@ static void grow_hold_buffer(sed_eval_t *eval, int newsize)
879b17 
 /*
879b17 
  * grow_gen_buffer
879b17 
  */
879b17 
-static void grow_gen_buffer(sed_eval_t *eval, int newsize,
879b17 
+static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
879b17 
                             char **gspend)
879b17 
 {
879b17 
     if (gspend == NULL) {
879b17 
@@ -156,9 +156,9 @@ static void grow_gen_buffer(sed_eval_t *eval, int newsize,
879b17 
 /*
879b17 
  * appendmem_to_linebuf
879b17 
  */
879b17 
-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
879b17 
+static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
879b17 
 {
879b17 
-    unsigned int reqsize = (eval->lspend - eval->linebuf) + len;
879b17 
+    apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
879b17 
     if (eval->lsize < reqsize) {
879b17 
         grow_line_buffer(eval, reqsize);
879b17 
     }
879b17 
@@ -169,21 +169,36 @@ static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
879b17 
 /*
879b17 
  * append_to_linebuf
879b17 
  */
879b17 
-static void append_to_linebuf(sed_eval_t *eval, const char* sz)
879b17 
+static void append_to_linebuf(sed_eval_t *eval, const char* sz,
879b17 
+                              step_vars_storage *step_vars)
879b17 
 {
879b17 
-    int len = strlen(sz);
879b17 
+    apr_size_t len = strlen(sz);
879b17 
+    char *old_linebuf = eval->linebuf;
879b17 
     /* Copy string including null character */
879b17 
     appendmem_to_linebuf(eval, sz, len + 1);
879b17 
     --eval->lspend; /* lspend will now point to NULL character */
879b17 
+    /* Sync step_vars after a possible linebuf expansion */
879b17 
+    if (step_vars && old_linebuf != eval->linebuf) {
879b17 
+        if (step_vars->loc1) {
879b17 
+            step_vars->loc1 = step_vars->loc1 - old_linebuf + eval->linebuf;
879b17 
+        }
879b17 
+        if (step_vars->loc2) {
879b17 
+            step_vars->loc2 = step_vars->loc2 - old_linebuf + eval->linebuf;
879b17 
+        }
879b17 
+        if (step_vars->locs) {
879b17 
+            step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
879b17 
+        }
879b17 
+    }
879b17 
 }
879b17
879b17 
 /*
879b17 
  * copy_to_linebuf
879b17 
  */
879b17 
-static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
879b17 
+static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
879b17 
+                            step_vars_storage *step_vars)
879b17 
 {
879b17 
     eval->lspend = eval->linebuf;
879b17 
-    append_to_linebuf(eval, sz);
879b17 
+    append_to_linebuf(eval, sz, step_vars);
879b17 
 }
879b17
879b17 
 /*
879b17 
@@ -191,8 +206,8 @@ static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
879b17 
  */
879b17 
 static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
879b17 
 {
879b17 
-    int len = strlen(sz);
879b17 
-    unsigned int reqsize = (eval->hspend - eval->holdbuf) + len + 1;
879b17 
+    apr_size_t len = strlen(sz);
879b17 
+    apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
879b17 
     if (eval->hsize <= reqsize) {
879b17 
         grow_hold_buffer(eval, reqsize);
879b17 
     }
879b17 
@@ -215,8 +230,8 @@ static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
879b17 
  */
879b17 
 static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
879b17 
 {
879b17 
-    int len = strlen(sz);
879b17 
-    unsigned int reqsize = (*gspend - eval->genbuf) + len + 1;
879b17 
+    apr_size_t len = strlen(sz);
879b17 
+    apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
879b17 
     if (eval->gsize < reqsize) {
879b17 
         grow_gen_buffer(eval, reqsize, gspend);
879b17 
     }
879b17 
@@ -230,8 +245,8 @@ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
879b17 
  */
879b17 
 static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
879b17 
 {
879b17 
-    int len = strlen(sz);
879b17 
-    unsigned int reqsize = len + 1;
879b17 
+    apr_size_t len = strlen(sz);
879b17 
+    apr_size_t reqsize = len + 1;
879b17 
     if (eval->gsize < reqsize) {
879b17 
         grow_gen_buffer(eval, reqsize, NULL);
879b17 
     }
879b17 
@@ -353,7 +368,7 @@ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout)
879b17 
 /*
879b17 
  * sed_eval_buffer
879b17 
  */
879b17 
-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout)
879b17 
+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout)
879b17 
 {
879b17 
     apr_status_t rv;
879b17
879b17 
@@ -383,7 +398,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void
879b17
879b17 
     while (bufsz) {
879b17 
         char *n;
879b17 
-        int llen;
879b17 
+        apr_size_t llen;
879b17
879b17 
         n = memchr(buf, '\n', bufsz);
879b17 
         if (n == NULL)
879b17 
@@ -442,7 +457,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
879b17 
              * buffer is not a newline.
879b17 
              */
879b17 
             /* Assure space for NULL */
879b17 
-            append_to_linebuf(eval, "");
879b17 
+            append_to_linebuf(eval, "", NULL);
879b17 
         }
879b17
879b17 
         *eval->lspend = '\0';
879b17 
@@ -666,7 +681,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
879b17 
     lp = step_vars->loc2;
879b17 
     step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
879b17 
     append_to_genbuf(eval, lp, &sp);
879b17 
-    copy_to_linebuf(eval, eval->genbuf);
879b17 
+    copy_to_linebuf(eval, eval->genbuf, step_vars);
879b17 
     return rv;
879b17 
 }
879b17
879b17 
@@ -676,8 +691,8 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
879b17 
 static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
879b17 
 {
879b17 
     char *sp = asp;
879b17 
-    int n = al2 - al1;
879b17 
-    unsigned int reqsize = (sp - eval->genbuf) + n + 1;
879b17 
+    apr_size_t n = al2 - al1;
879b17 
+    apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
879b17
879b17 
     if (eval->gsize < reqsize) {
879b17 
         grow_gen_buffer(eval, reqsize, &sp);
879b17 
@@ -733,7 +748,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
879b17 
             }
879b17
879b17 
             p1++;
879b17 
-            copy_to_linebuf(eval, p1);
879b17 
+            copy_to_linebuf(eval, p1, step_vars);
879b17 
             eval->jflag++;
879b17 
             break;
879b17
879b17 
@@ -743,12 +758,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
879b17 
             break;
879b17
879b17 
         case GCOM:
879b17 
-            copy_to_linebuf(eval, eval->holdbuf);
879b17 
+            copy_to_linebuf(eval, eval->holdbuf, step_vars);
879b17 
             break;
879b17
879b17 
         case CGCOM:
879b17 
-            append_to_linebuf(eval, "\n");
879b17 
-            append_to_linebuf(eval, eval->holdbuf);
879b17 
+            append_to_linebuf(eval, "\n", step_vars);
879b17 
+            append_to_linebuf(eval, eval->holdbuf, step_vars);
879b17 
             break;
879b17
879b17 
         case HCOM:
879b17 
@@ -879,7 +894,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
879b17 
                 if (rv != APR_SUCCESS)
879b17 
                     return rv;
879b17 
             }
879b17 
-            append_to_linebuf(eval, "\n");
879b17 
+            append_to_linebuf(eval, "\n", step_vars);
879b17 
             eval->pending = ipc->next;
879b17 
             break;
879b17
879b17 
@@ -951,7 +966,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
879b17 
             break;
879b17 
         case XCOM:
879b17 
             copy_to_genbuf(eval, eval->linebuf);
879b17 
-            copy_to_linebuf(eval, eval->holdbuf);
879b17 
+            copy_to_linebuf(eval, eval->holdbuf, step_vars);
879b17 
             copy_to_holdbuf(eval, eval->genbuf);
879b17 
             break;
879b17
879b17 
@@ -1008,7 +1023,7 @@ static apr_status_t arout(sed_eval_t *eval)
879b17 
 /*
879b17 
  * wline
879b17 
  */
879b17 
-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz)
879b17 
+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz)
879b17 
 {
879b17 
     apr_status_t rv = APR_SUCCESS;
879b17 
     rv = eval->writefn(eval->fout, buf, sz);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation