Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
1.6.0
-
None
-
CentOS 5.3
httpd-2.2.3
rampartc-1.3.0
dell precision desktop
Description
This problem has only been noticed when attempting to decompress input streams via apache.
The problem occurs when a decompression payload fails to decompress properly. In my test case it was because the payload had some flags set in the gzip headers and mod_deflate doesn't support flags. mod_deflate then returned an APR_EGENERAL error message. This message then bubbled up and was returned as a -1 to apache2_stream_read.
This is a problem because size_t, on my system, is unsigned. The checks in apache2_stream_read fail to catch a negative value in this scenario and dont respond appropriately.
while (count - len > 0)
{
read = ap_get_client_block(stream_impl->request, (char *)buffer + len, count - len);
if (read > 0)
else
{ break; }}
The else statement will never get reached while read is unsigned. Also, the while loop might have troubles as well. I would suggest modifying read and len to be ssize_t so they match the return value of ap_get_client_block.
If I get this modified and working, I will submit a patch.
