diff options
| author | Giovanni Bechis <gbechis@apache.org> | 2023-03-28 23:12:47 +0200 |
|---|---|---|
| committer | Giovanni Bechis <gbechis@apache.org> | 2023-03-28 23:12:47 +0200 |
| commit | 4599b709bb9ff6895d7627e24940701ea192987a (patch) | |
| tree | 4ec0b9b01cd68d4c59df4513b7b72cbb82a901da /server | |
| parent | fr doc rebuild. (diff) | |
| download | apache2-4599b709bb9ff6895d7627e24940701ea192987a.tar.xz apache2-4599b709bb9ff6895d7627e24940701ea192987a.zip | |
Fix a possible null pointer dereference in ap_expr_parse()
In ap_expr_parse(), ap_expr_yylex_init() will return 1 on failure,
and ctx.scanner will remain NULL. However the return value of
ap_expr_yylex_init() is not checked, and there is a dereference of
ctx.scanner in following function ap_expr_yyset_extra(),
which may lead to NULL pointer dereference.
Fix this bug by adding return value check of ap_expr_yylex_init.
Submitted by: Zhou Qingyang <zhou1615@umn.edu>
Github: closes #308
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908772 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'server')
| -rw-r--r-- | server/util_expr_eval.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index 9c71e865b0..f1424aa1a9 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -592,7 +592,10 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp, ctx.lookup_fn = lookup_fn ? lookup_fn : ap_expr_lookup_default; ctx.at_start = 1; - ap_expr_yylex_init(&ctx.scanner); + rc = ap_expr_yylex_init(&ctx.scanner); + if (rc) + return "ap_expr_yylex_init error"; + ap_expr_yyset_extra(&ctx, ctx.scanner); rc = ap_expr_yyparse(&ctx); ap_expr_yylex_destroy(ctx.scanner); |