Fix possible NULL pointer dereference casued by apreq_param_make()

The function apreq_param_make() will return NULL on failure. However NULL check are forgetten before derenference, which could lead to NULL pointer dereference. Adding NULL check to all use of apreq_param_make(). Submitted by: Zhou Qingyang <zhou1615@umn.edu> Github: closes #303 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908981 13f79535-47bb-0310-9956-ffa450edef68
author: Giovanni Bechis <gbechis@apache.org> 2023-04-05 08:38:18 +0200
committer: Giovanni Bechis <gbechis@apache.org> 2023-04-05 08:38:18 +0200
commit: 24007faa4f5cb59e494feb764e3a247018dc3907 (patch)
tree: 249a9996ce944cc977f0fd086c9b1bbd33157b01 /server/apreq_module_cgi.c
parent: Fix a possible NULL pointer dereference of ap_runtime_dir_relative() (diff)
download: apache2-24007faa4f5cb59e494feb764e3a247018dc3907.tar.xz
apache2-24007faa4f5cb59e494feb764e3a247018dc3907.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/server/apreq_module_cgi.c b/server/apreq_module_cgi.c
index eaf4e99ef4..d67371b4df 100644
--- a/server/apreq_module_cgi.c
+++ b/server/apreq_module_cgi.c
@@ -562,6 +562,8 @@ static apr_status_t cgi_args(apreq_handle_t *handle,
             if (val == NULL)
                 val = "";
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return APR_ENOMEM;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->args);
             val = p->v.data;
@@ -642,6 +644,8 @@ static apreq_param_t *cgi_args_get(apreq_handle_t *handle,
             if (val == NULL)
                 return NULL;
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return NULL;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->args);
             val = p->v.data;
@@ -678,6 +682,8 @@ static apr_status_t cgi_body(apreq_handle_t *handle,
             if (val == NULL)
                 val = "";
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return APR_ENOMEM;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->body);
             val = p->v.data;
@@ -720,6 +726,8 @@ static apreq_param_t *cgi_body_get(apreq_handle_t *handle,
             if (val == NULL)
                 return NULL;
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return NULL;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->body);
             val = p->v.data;
author	Giovanni Bechis <gbechis@apache.org>	2023-04-05 08:38:18 +0200
committer	Giovanni Bechis <gbechis@apache.org>	2023-04-05 08:38:18 +0200
commit	24007faa4f5cb59e494feb764e3a247018dc3907 (patch)
tree	249a9996ce944cc977f0fd086c9b1bbd33157b01 /server/apreq_module_cgi.c
parent	Fix a possible NULL pointer dereference of ap_runtime_dir_relative() (diff)
download	apache2-24007faa4f5cb59e494feb764e3a247018dc3907.tar.xz apache2-24007faa4f5cb59e494feb764e3a247018dc3907.zip