summaryrefslogtreecommitdiff
path: root/apr-util-1.6.1-CVE-2022-25147.patch
diff options
context:
space:
mode:
Diffstat (limited to 'apr-util-1.6.1-CVE-2022-25147.patch')
-rw-r--r--apr-util-1.6.1-CVE-2022-25147.patch127
1 files changed, 127 insertions, 0 deletions
diff --git a/apr-util-1.6.1-CVE-2022-25147.patch b/apr-util-1.6.1-CVE-2022-25147.patch
new file mode 100644
index 0000000..44e87e1
--- /dev/null
+++ b/apr-util-1.6.1-CVE-2022-25147.patch
@@ -0,0 +1,127 @@
+diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
+index 1eed153..2803106 100644
+--- a/encoding/apr_base64.c
++++ b/encoding/apr_base64.c
+@@ -20,11 +20,20 @@
+ * ugly 'len' functions, which is quite a nasty cost.
+ */
+
++#undef NDEBUG /* always abort() on assert()ion failure */
++#include <assert.h>
++
+ #include "apr_base64.h"
+ #if APR_CHARSET_EBCDIC
+ #include "apr_xlate.h"
+ #endif /* APR_CHARSET_EBCDIC */
+
++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
++#define APR_BASE64_ENCODE_MAX 1610612733
++
++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
++#define APR_BASE64_DECODE_MAX 2863311524u
++
+ /* aaaack but it's fast and const should make it shared text page. */
+ static const unsigned char pr2six[256] =
+ {
+@@ -109,7 +118,6 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
+
+ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+ {
+- int nbytesdecoded;
+ register const unsigned char *bufin;
+ register apr_size_t nprbytes;
+
+@@ -117,16 +125,16 @@ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+ while (pr2six[*(bufin++)] <= 63);
+
+ nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++ assert(nprbytes <= APR_BASE64_DECODE_MAX);
+
+- return nbytesdecoded + 1;
++ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
+ }
+
+ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
+ {
+ #if APR_CHARSET_EBCDIC
+ apr_size_t inbytes_left, outbytes_left;
+-#endif /* APR_CHARSET_EBCDIC */
++#endif /* APR_CHARSET_EBCDIC */
+ int len;
+
+ len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
+@@ -153,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+ bufin = (const unsigned char *) bufcoded;
+ while (pr2six[*(bufin++)] <= 63);
+ nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++ assert(nprbytes <= APR_BASE64_DECODE_MAX);
++ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
+
+ bufout = (unsigned char *) bufplain;
+ bufin = (const unsigned char *) bufcoded;
+
+- while (nprbytes > 4) {
++ while (nprbytes >= 4) {
+ *(bufout++) =
+ (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
+ *(bufout++) =
+@@ -178,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+ *(bufout++) =
+ (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
+ }
+- if (nprbytes > 3) {
+- *(bufout++) =
+- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
+- }
+
+- nbytesdecoded -= (4 - (int)nprbytes) & 3;
+- return nbytesdecoded;
++ return nbytesdecoded - (int)((4u - nprbytes) & 3u);
+ }
+
+ static const char basis_64[] =
+@@ -192,6 +196,8 @@ static const char basis_64[] =
+
+ APU_DECLARE(int) apr_base64_encode_len(int len)
+ {
++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+ return ((len + 2) / 3 * 4) + 1;
+ }
+
+@@ -203,6 +209,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+ int i;
+ char *p;
+
++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+ p = encoded;
+ for (i = 0; i < len - 2; i += 3) {
+ *p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
+@@ -227,7 +235,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+ }
+
+ *p++ = '\0';
+- return p - encoded;
++ return (unsigned int)(p - encoded);
+ #endif /* APR_CHARSET_EBCDIC */
+ }
+
+@@ -240,6 +248,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+ int i;
+ char *p;
+
++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+ p = encoded;
+ for (i = 0; i < len - 2; i += 3) {
+ *p++ = basis_64[(string[i] >> 2) & 0x3F];
+@@ -264,5 +274,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+ }
+
+ *p++ = '\0';
+- return (int)(p - encoded);
++ return (unsigned int)(p - encoded);
+ }
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-28 23:38:00 +0000