ronald 99/04/10 16:21:23
Modified: src CHANGES
src/main util.c
Log:
ap_uuencode was not allocating space for terminating '\0'
ap_uudecode was running past the beginning of the buffer for empty input
strings, and past the end of the buffer for certain (invalid) input
PR: 3422
Reviewed by: Dean Gaudet
Revision Changes Path
1.1307 +4 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1306
retrieving revision 1.1307
diff -u -r1.1306 -r1.1307
--- CHANGES 1999/04/10 21:51:01 1.1306
+++ CHANGES 1999/04/10 23:21:21 1.1307
@@ -1,5 +1,9 @@
Changes with Apache 1.3.7
+ *) Fix buffer overflows in ap_uuencode and ap_uudecode pointed out
+ by "Peter 'Luna' Altberg <[EMAIL PROTECTED]>" and PR#3422
+ [Peter 'Luna' Altberg <[EMAIL PROTECTED]>, Ronald Tschal�r]
+
*) Make {Set,Unset,Pass}Env per-directory instead of per-server.
[Ben Laurie]
1.157 +23 -15 apache-1.3/src/main/util.c
Index: util.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/util.c,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -r1.156 -r1.157
--- util.c 1999/03/20 15:41:07 1.156
+++ util.c 1999/04/10 23:21:23 1.157
@@ -1962,7 +1962,7 @@
bufin = (const unsigned char *) bufcoded;
- while (nprbytes > 0) {
+ while (nprbytes > 4) {
*(bufout++) =
(unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
@@ -1973,13 +1973,15 @@
nprbytes -= 4;
}
- if (nprbytes & 03) {
- if (pr2six[bufin[-2]] > 63)
- nbytesdecoded -= 2;
- else
- nbytesdecoded -= 1;
+ /* Note: (nprbytes == 1) would be an error, so just ingore that case */
+ if (nprbytes > 1) {
+ *(bufout++) =
+ (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
}
- bufplain[nbytesdecoded] = '\0';
+ if (nprbytes > 2) {
+ *(bufout++) =
+ (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
+ }
#else /*CHARSET_EBCDIC*/
bufin = (const unsigned char *) bufcoded;
while (pr2six[os_toascii[(unsigned char)*(bufin++)]] <= 63);
@@ -1991,7 +1993,7 @@
bufin = (const unsigned char *) bufcoded;
- while (nprbytes > 0) {
+ while (nprbytes > 4) {
*(bufout++) = os_toebcdic[
(unsigned char) (pr2six[os_toascii[*bufin]] << 2 |
pr2six[os_toascii[bufin[1]]] >> 4)];
*(bufout++) = os_toebcdic[
@@ -2002,14 +2004,20 @@
nprbytes -= 4;
}
- if (nprbytes & 03) {
- if (pr2six[os_toascii[bufin[-2]]] > 63)
- nbytesdecoded -= 2;
- else
- nbytesdecoded -= 1;
+ /* Note: (nprbytes == 1) would be an error, so just ingore that case */
+ if (nprbytes > 1) {
+ *(bufout++) = os_toebcdic[
+ (unsigned char) (pr2six[os_toascii[*bufin]] << 2 |
pr2six[os_toascii[bufin[1]]] >> 4)];
}
- bufplain[nbytesdecoded] = '\0';
+ if (nprbytes > 2) {
+ *(bufout++) = os_toebcdic[
+ (unsigned char) (pr2six[os_toascii[bufin[1]]] << 4 |
pr2six[os_toascii[bufin[2]]] >> 2)];
+ }
#endif /*CHARSET_EBCDIC*/
+
+ nbytesdecoded -= (4 - nprbytes) & 3;
+ bufplain[nbytesdecoded] = '\0';
+
return bufplain;
}
@@ -2020,7 +2028,7 @@
{
int i, len = strlen(string);
char *p;
- char *encoded = (char *) ap_palloc(a, (len+2) / 3 * 4);
+ char *encoded = (char *) ap_palloc(a, ((len+2) / 3 * 4) + 1);
p = encoded;
#ifndef CHARSET_EBCDIC
