2021-08-24 14:27:56 +00:00
|
|
|
diff --git a/server/apreq_parser_header.c b/server/apreq_parser_header.c
|
2021-08-26 20:03:14 +00:00
|
|
|
index 19588be..ede2acf 100644
|
2021-08-24 14:27:56 +00:00
|
|
|
--- a/server/apreq_parser_header.c
|
|
|
|
|
+++ b/server/apreq_parser_header.c
|
|
|
|
|
@@ -89,6 +89,8 @@ static apr_status_t split_header_line(apreq_param_t **p,
|
|
|
|
|
if (s != APR_SUCCESS)
|
|
|
|
|
return s;
|
|
|
|
|
|
|
|
|
|
+ if (!(nlen >= len))
|
|
|
|
|
+ return APR_EBADARG;
|
|
|
|
|
assert(nlen >= len);
|
|
|
|
|
end->iov_len = len;
|
|
|
|
|
nlen -= len;
|
2021-08-26 20:03:14 +00:00
|
|
|
@@ -103,12 +105,15 @@ static apr_status_t split_header_line(apreq_param_t **p,
|
2021-08-24 14:27:56 +00:00
|
|
|
if (s != APR_SUCCESS)
|
|
|
|
|
return s;
|
|
|
|
|
|
|
|
|
|
+ if (!(glen >= dlen))
|
|
|
|
|
+ return APR_EBADARG;
|
|
|
|
|
assert(glen >= dlen);
|
|
|
|
|
glen -= dlen;
|
|
|
|
|
e = APR_BUCKET_NEXT(e);
|
2021-08-26 20:03:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* copy value */
|
|
|
|
|
+ if (!(vlen > 0)) return APR_EBADARG;
|
|
|
|
|
assert(vlen > 0);
|
|
|
|
|
dest = v->data;
|
|
|
|
|
while (vlen > 0) {
|
|
|
|
|
@@ -119,11 +124,13 @@ static apr_status_t split_header_line(apreq_param_t **p,
|
2021-08-24 14:27:56 +00:00
|
|
|
|
|
|
|
|
memcpy(dest, data, dlen);
|
|
|
|
|
dest += dlen;
|
|
|
|
|
+ if (!(vlen >= dlen)) return APR_EBADARG;
|
|
|
|
|
assert(vlen >= dlen);
|
|
|
|
|
vlen -= dlen;
|
|
|
|
|
e = APR_BUCKET_NEXT(e);
|
2021-08-26 20:03:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+ if (!(dest[-1] == '\n')) return APR_EBADARG;
|
|
|
|
|
assert(dest[-1] == '\n');
|
|
|
|
|
|
|
|
|
|
if (dest[-2] == '\r')
|
