From f9e81ccc19e9715e5215c626421658fc55cc97a1 Mon Sep 17 00:00:00 2001 From: Ankit Prateek Date: Sun, 5 Jul 2026 08:32:25 +0530 Subject: [PATCH] mod_sed: fix out-of-bounds read in ycomp on mismatched y/// strings ycomp() compiles the sed "y/source/dest/" transliterate command by walking the source and destination strings in lock-step. The first scan loop guards *tsp against '\0'/'\n', but the second loop reads the destination via *tsp++ with no such guard: it stops only when the source pointer reaches the delimiter. When the destination string is shorter than the source, tsp runs past the destination's closing delimiter and the NUL terminator, reading past the end of the LBSIZE+1 line buffer (commands->linebuf) into adjacent memory until it happens to hit a matching byte. The existing size-mismatch check (SEDERR_TSNTSS) already detects this case -- it fires as soon as a destination byte reads back as the delimiter or NUL -- but it only logs and continues, so the over-read proceeds. Make that check abort compilation (return NULL, as every other error path in ycomp does), which both fixes the over-read and rejects the malformed command, matching the behaviour of standard sed ("strings for `y' command are different lengths"). The sed program is supplied via the OutputSed/InputSed configuration directives (ACCESS_CONF), so this is a robustness fix for malformed configuration, not a remotely triggerable issue. --- CHANGES | 6 ++++++ modules/filters/sed0.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGES b/CHANGES index 1b7ada49993..7ee0039141c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_sed: Fix an out-of-bounds read in the "y" (transliterate) command + compiler when the replacement string is shorter than the source + string. The parser now rejects the mismatched command instead of + reading past the end of the script line buffer. + [Ankit Prateek (OffByQuant) ] + *) mod_proxy_beacon: Back-end reverse proxy servers can announce themselves and be auto-added to their front-end proxy balancer. [Jim Jagielski] diff --git a/modules/filters/sed0.c b/modules/filters/sed0.c index a044f647dba..84ed02d4e94 100644 --- a/modules/filters/sed0.c +++ b/modules/filters/sed0.c @@ -960,7 +960,13 @@ static char *ycomp(sed_commands_t *commands, char *expbuf) tsp++; } if(ep[cint] == commands->sseof || ep[cint] == '\0') { + /* Destination string is shorter than the source string: the byte + * just read is the closing delimiter or the NUL terminator, not a + * real replacement character. Report the size mismatch and stop + * now -- continuing would walk tsp past the end of the line buffer + * (out-of-bounds read of linebuf). */ command_errf(commands, SEDERR_TSNTSS, commands->linebuf); + return NULL; } } if(*tsp != commands->sseof) {