Add sanity check for a couple malloc() and make code more resilient

2025-09-29 19:24:29 +03:00 · 2018-11-04 22:04:34 -05:00
parent b3fa87dc7c
commit 9be0a407eb
4 changed files with 21 additions and 5 deletions
--- a/2
+++ b/2
@@ -1,6 +1,8 @@
 DD MMM YYYY - 2.9.3 - To be released
 ------------------------------------

+ * Add sanity check for a couple malloc() and make code more resilient
+   [Issue #979 - @dogbert2, @victorhora, @zimmerl]
 * Fix NetBSD build by renaming the hmac function to avoid conflicts
   [Issue #1241 - @victorhora, @joerg, @sevan]
 * IIS: Windows build, fix duplicate YAJL dir in script
--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@@ -312,6 +312,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
        struct curl_slist *headers_chunk = NULL;
 #ifdef WIN32
        char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
+       if (buf == NULL) { /* malloc failed... */
+           *error_msg = apr_psprintf(mp, "Unable to allocate memory");
+           ret = -2;
+           goto failed;    
+       }    
        char *ptr = NULL;
        DWORD res_len;
 #endif
--- a/apache2/msc_util.c
+++ b/apache2/msc_util.c
@@ -2779,8 +2779,8 @@ int ip_tree_from_param(apr_pool_t *mp,
 }

 #ifdef WITH_CURL
-size_t msc_curl_write_memory_cb(void *contents, size_t size,
-        size_t nmemb, void *userp)
+size_t msc_curl_write_memory_cb(apr_pool_t *mp, void *contents, size_t size,
+        size_t nmemb, void *userp, char **error_msg)
 {
    size_t realsize = size * nmemb;
    struct msc_curl_memory_buffer_t *mem = (struct msc_curl_memory_buffer_t *)userp;
@@ -2788,11 +2788,20 @@ size_t msc_curl_write_memory_cb(void *contents, size_t size,
    if (mem->size == 0)
    {
        mem->memory = malloc(realsize + 1);
+        if (mem->memory == NULL) {
+            *error_msg = apr_psprintf(mp, "Unable to allocate buffer for mem->memory");
+            return 0;
+        }
        memset(mem->memory, '\0', sizeof(realsize + 1));
    }
    else
    {
-        mem->memory = realloc(mem->memory, mem->size + realsize + 1);
+        void *tmp;
+        tmp = mem->memory;
+        tmp = realloc(mem->memory, mem->size + realsize + 1);
+        if (tmp != NULL) {
+            mem->memory = tmp;
+        }
        memset(mem->memory + mem->size, '\0', sizeof(realsize + 1));
    }

--- a/apache2/msc_util.h
+++ b/apache2/msc_util.h
@@ -166,8 +166,8 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,

 int read_line(char *buff, int size, FILE *fp);

-size_t msc_curl_write_memory_cb(void *contents, size_t size,
-    size_t nmemb, void *userp);
+size_t msc_curl_write_memory_cb(apr_pool_t *mp, void *contents, size_t size,
+    size_t nmemb, void *userp, char **error_msg);

 struct msc_curl_memory_buffer_t
 {