diff --git a/CHANGES b/CHANGES index 1b7ada49993..7ee0039141c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_sed: Fix an out-of-bounds read in the "y" (transliterate) command + compiler when the replacement string is shorter than the source + string. The parser now rejects the mismatched command instead of + reading past the end of the script line buffer. + [Ankit Prateek (OffByQuant) ] + *) mod_proxy_beacon: Back-end reverse proxy servers can announce themselves and be auto-added to their front-end proxy balancer. [Jim Jagielski] diff --git a/modules/filters/sed0.c b/modules/filters/sed0.c index a044f647dba..84ed02d4e94 100644 --- a/modules/filters/sed0.c +++ b/modules/filters/sed0.c @@ -960,7 +960,13 @@ static char *ycomp(sed_commands_t *commands, char *expbuf) tsp++; } if(ep[cint] == commands->sseof || ep[cint] == '\0') { + /* Destination string is shorter than the source string: the byte + * just read is the closing delimiter or the NUL terminator, not a + * real replacement character. Report the size mismatch and stop + * now -- continuing would walk tsp past the end of the line buffer + * (out-of-bounds read of linebuf). */ command_errf(commands, SEDERR_TSNTSS, commands->linebuf); + return NULL; } } if(*tsp != commands->sseof) {