Author: gbechis
Date: Tue Mar 28 21:12:47 2023
New Revision: 1908772
URL: http://svn.apache.org/viewvc?rev=1908772&view=rev
Log:
Fix a possible null pointer dereference in ap_expr_parse()
In ap_expr_parse(), ap_expr_yylex_init() will return 1 on failure,
and ctx.scanner will remain NULL. However the return value of
ap_expr_yylex_init() is not checked, and there is a dereference of
ctx.scanner in following function ap_expr_yyset_extra(),
which may lead to NULL pointer dereference.
Fix this bug by adding return value check of ap_expr_yylex_init.
Submitted by: Zhou Qingyang <zhou1615@umn.edu>
Github: closes #308
Modified:
httpd/httpd/trunk/server/util_expr_eval.c
Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1908772&r1=1908771&r2=1908772&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Tue Mar 28 21:12:47 2023
@@ -592,7 +592,10 @@ AP_DECLARE(const char *) ap_expr_parse(a
ctx.lookup_fn = lookup_fn ? lookup_fn : ap_expr_lookup_default;
ctx.at_start = 1;
- ap_expr_yylex_init(&ctx.scanner);
+ rc = ap_expr_yylex_init(&ctx.scanner);
+ if (rc)
+ return "ap_expr_yylex_init error";
+
ap_expr_yyset_extra(&ctx, ctx.scanner);
rc = ap_expr_yyparse(&ctx);
ap_expr_yylex_destroy(ctx.scanner);
Date: Tue Mar 28 21:12:47 2023
New Revision: 1908772
URL: http://svn.apache.org/viewvc?rev=1908772&view=rev
Log:
Fix a possible null pointer dereference in ap_expr_parse()
In ap_expr_parse(), ap_expr_yylex_init() will return 1 on failure,
and ctx.scanner will remain NULL. However the return value of
ap_expr_yylex_init() is not checked, and there is a dereference of
ctx.scanner in following function ap_expr_yyset_extra(),
which may lead to NULL pointer dereference.
Fix this bug by adding return value check of ap_expr_yylex_init.
Submitted by: Zhou Qingyang <zhou1615@umn.edu>
Github: closes #308
Modified:
httpd/httpd/trunk/server/util_expr_eval.c
Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1908772&r1=1908771&r2=1908772&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Tue Mar 28 21:12:47 2023
@@ -592,7 +592,10 @@ AP_DECLARE(const char *) ap_expr_parse(a
ctx.lookup_fn = lookup_fn ? lookup_fn : ap_expr_lookup_default;
ctx.at_start = 1;
- ap_expr_yylex_init(&ctx.scanner);
+ rc = ap_expr_yylex_init(&ctx.scanner);
+ if (rc)
+ return "ap_expr_yylex_init error";
+
ap_expr_yyset_extra(&ctx, ctx.scanner);
rc = ap_expr_yyparse(&ctx);
ap_expr_yylex_destroy(ctx.scanner);