release 2.3.7: return error when input is too large for pcre_subst

Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jul 6, 2018 · eb42628 · eb42628
1 parent 81f3ee2
commit eb42628
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 9 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+07/06/2018
+- abort when string length for remote user name substitution is larger than 255 characters
+- release 2.3.7
+
 07/04/2018
 - fix Redis concurrency issue when used with multiple vhosts
 - bump to 2.3.7rc4 and 2.3.7rc5

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.3.7rc5],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.3.7],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/pcre_subst.c b/src/pcre_subst.c
@@ -38,8 +38,6 @@ computer system, and to redistribute it freely, subject to the following
 #include <pcre.h>
 #include "pcre_subst.h"
 
-#define MAXCAPTURE	255
-
 #ifdef DEBUG_PCRE_SUBST
 static void
 dumpstr(const char *str, int len, int start, int end)
@@ -114,8 +112,8 @@ edit(const char *str, int len, const char *rep, int nmat, const int *ovec)
 	int i, slen, rlen;
 	const int *mvec = ovec;
 	char *res, *cp;
-	int replen[MAXCAPTURE];
-	const char *repstr[MAXCAPTURE];
+	int replen[OIDC_PCRE_MAXCAPTURE];
+	const char *repstr[OIDC_PCRE_MAXCAPTURE];
 	nmat--;
 	ovec += 2;
 	for (i = 0; i < nmat; i++) {
@@ -149,7 +147,7 @@ pcre_subst(const pcre *ppat, const pcre_extra *extra, const char *str, int len,
 			int offset, int options, const char *rep)
 {
 	int nmat;
-	int ovec[MAXCAPTURE * 3];
+	int ovec[OIDC_PCRE_MAXCAPTURE * 3];
 	nmat = pcre_exec(ppat, extra, str, len, offset, options,
 		ovec, sizeof(ovec));
 #ifdef DEBUG_PCRE_SUBST

diff --git a/src/pcre_subst.h b/src/pcre_subst.h
@@ -32,4 +32,6 @@ computer system, and to redistribute it freely, subject to the following
    supersede any condition above with which it is incompatible.
 */
 
+#define OIDC_PCRE_MAXCAPTURE	255
+
 char *pcre_subst(const pcre *, const pcre_extra *, const char *, int, int, int, const char *);
diff --git a/src/util.c b/src/util.c
@@ -2076,7 +2076,6 @@ apr_hash_t * oidc_util_merge_key_sets(apr_pool_t *pool, apr_hash_t *k1,
  *     text_original: "match 292 numbers"
  *     text_replaced: "292"
  */
-
 apr_byte_t oidc_util_regexp_substitute(apr_pool_t *pool, const char *input,
 		const char *regexp, const char *replace, char **output,
 		char **error_str) {
@@ -2093,6 +2092,14 @@ apr_byte_t oidc_util_regexp_substitute(apr_pool_t *pool, const char *input,
 		goto out;
 	}
 
+	if (strlen(input) >= OIDC_PCRE_MAXCAPTURE - 1) {
+		*error_str =
+				apr_psprintf(pool,
+						"string length (%d) is larger than the maximum allowed for pcre_subst (%d)",
+						(int) strlen(input), OIDC_PCRE_MAXCAPTURE - 1);
+		goto out;
+	}
+
 	substituted = pcre_subst(preg, NULL, input, (int) strlen(input), 0, 0,
 			replace);
 	if (substituted == NULL) {
@@ -2106,8 +2113,7 @@ apr_byte_t oidc_util_regexp_substitute(apr_pool_t *pool, const char *input,
 	*output = apr_pstrdup(pool, substituted);
 	rc = TRUE;
 
-out:
-	if (substituted)
+	out: if (substituted)
 		pcre_free(substituted);
 	if (preg)
 		pcre_free(preg);