diff --git a/modules/dav/main/ms_wdv.c b/modules/dav/main/ms_wdv.c index cd9bb10cf53..ec4bb425cfc 100644 --- a/modules/dav/main/ms_wdv.c +++ b/modules/dav/main/ms_wdv.c @@ -91,7 +91,9 @@ static const char *mswdv_urlencode(request_rec *r, const char *str) char *output; char *op; - output = apr_palloc(r->pool, 3 * strlen(str) + 1); + apr_size_t slen = strlen(str); + ap_assert(slen <= (APR_SIZE_MAX - 1) / 3); + output = apr_palloc(r->pool, 3 * slen + 1); op = output; for (ip = str; *ip; ip++) { diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index c89b2adc786..c5f20e4b8d0 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -722,7 +722,9 @@ static char *escape_backref(apr_pool_t *p, const char *path, const char *escapeme, const char *noescapeme, int flags) { - char *copy = apr_palloc(p, 3 * strlen(path) + 1); + apr_size_t plen = strlen(path); + ap_assert(plen <= (APR_SIZE_MAX - 1) / 3); + char *copy = apr_palloc(p, 3 * plen + 1); const unsigned char *s = (const unsigned char *)path; unsigned char *d = (unsigned char *)copy; int noplus = (flags & RULEFLAG_ESCAPENOPLUS) != 0; diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c index d535d2415d4..0ea47590b69 100644 --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -147,7 +147,9 @@ static const char *ftp_escape_globbingchars(apr_pool_t *p, const char *path, pro return path; } - ret = apr_palloc(p, 2*strlen(path)+sizeof("")); + apr_size_t plen = strlen(path); + ap_assert(plen <= (APR_SIZE_MAX - sizeof("")) / 2); + ret = apr_palloc(p, 2 * plen + sizeof("")); for (d = ret; *path; ++path) { if (strchr(FTP_GLOBBING_CHARS, *path) != NULL) *d++ = '\\'; diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index a57c35ce0d2..0440e3433d6 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -262,6 +262,7 @@ PROXY_DECLARE(char *)ap_proxy_canonenc_ex(apr_pool_t *p, const char *x, int len, reserved = ""; } + ap_assert(len <= (APR_SIZE_MAX - 1) / 3); y = apr_palloc(p, 3 * len + 1); for (i = 0, j = 0; i < len; i++, j++) { diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 83344bf8600..98555a7607b 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -1056,11 +1056,13 @@ static const char *ssl_var_lookup_ssl_clienthello(apr_pool_t *p, const SSLConnRe return apr_psprintf(p, "%04x", (uint16_t) clienthello_vars->version); } else if (strEQ(var, "CIPHERS") && (clienthello_vars->ciphers_len > 0)) { + ap_assert(clienthello_vars->ciphers_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->ciphers_len * 2 + 1); ap_bin2hex(clienthello_vars->ciphers_data, clienthello_vars->ciphers_len, value); return value; } else if (strEQ(var, "EXTENSIONS") && (clienthello_vars->extids_len > 0)) { + ap_assert(clienthello_vars->extids_len <= (APR_SIZE_MAX - 1) / 4); value = apr_palloc(p, clienthello_vars->extids_len * 4 + 1); for (i = 0; i < clienthello_vars->extids_len; i++) { apr_snprintf(value + i * 4, 5, "%04x", (uint16_t) clienthello_vars->extids_data[i]); @@ -1068,26 +1070,31 @@ static const char *ssl_var_lookup_ssl_clienthello(apr_pool_t *p, const SSLConnRe return value; } else if (strEQ(var, "GROUPS") && (clienthello_vars->ecgroups_len > 2)) { + ap_assert(clienthello_vars->ecgroups_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->ecgroups_len * 2 + 1 - 2); ap_bin2hex(clienthello_vars->ecgroups_data + 2, clienthello_vars->ecgroups_len - 2, value); return value; } else if (strEQ(var, "EC_FORMATS") && (clienthello_vars->ecformats_len > 1)) { + ap_assert(clienthello_vars->ecformats_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->ecformats_len * 2 + 1 - 1); ap_bin2hex(clienthello_vars->ecformats_data + 1, clienthello_vars->ecformats_len - 1, value); return value; } else if (strEQ(var, "SIG_ALGOS") && (clienthello_vars->sigalgos_len > 2)) { + ap_assert(clienthello_vars->sigalgos_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->sigalgos_len * 2 + 1 - 2); ap_bin2hex(clienthello_vars->sigalgos_data + 2, clienthello_vars->sigalgos_len - 2, value); return value; } else if (strEQ(var, "ALPN") && (clienthello_vars->alpn_len > 2)) { + ap_assert(clienthello_vars->alpn_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->alpn_len * 2 + 1 - 2); ap_bin2hex(clienthello_vars->alpn_data + 2, clienthello_vars->alpn_len - 2, value); return value; } else if (strEQ(var, "VERSIONS") && (clienthello_vars->versions_len > 1)) { + ap_assert(clienthello_vars->versions_len <= (APR_SIZE_MAX - 1) / 2); value = apr_palloc(p, clienthello_vars->versions_len * 2 + 1 - 1); ap_bin2hex(clienthello_vars->versions_data + 1, clienthello_vars->versions_len - 1, value); return value; diff --git a/server/util.c b/server/util.c index d1d06fc15b4..6a07dd6b532 100644 --- a/server/util.c +++ b/server/util.c @@ -2157,9 +2157,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) /* first, count the number of extra characters */ for (i = 0, j = 0; s[i] != '\0'; i++) { - if (i + j > APR_SIZE_MAX - 6) { - abort(); - } + ap_assert(i + j <= APR_SIZE_MAX - 6); if (s[i] == '<' || s[i] == '>') j += 3; else if (s[i] == '&') @@ -2230,6 +2228,7 @@ AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str) } /* Each escaped character needs up to 3 extra bytes (0 --> \x00) */ + ap_assert(escapes <= (APR_SIZE_MAX - length) / 3); ret = apr_palloc(p, length + 3 * escapes); d = (unsigned char *)ret; s = (const unsigned char *)str; @@ -2376,6 +2375,7 @@ AP_DECLARE(char *) ap_make_full_path(apr_pool_t *a, const char *src1, /* allocate +3 for '/' delimiter, trailing NULL and overallocate * one extra byte to allow the caller to add a trailing '/' */ + ap_assert(len1 <= APR_SIZE_MAX - len2 - 3); path = (char *)apr_palloc(a, len1 + len2 + 3); if (len1 == 0) { *path = '/';