Skip to content

Add integer overflow checks to URL escape allocation functions#615

Open
kodareef5 wants to merge 1 commit intoapache:trunkfrom
kodareef5:fix-url-escape-overflow
Open

Add integer overflow checks to URL escape allocation functions#615
kodareef5 wants to merge 1 commit intoapache:trunkfrom
kodareef5:fix-url-escape-overflow

Conversation

@kodareef5
Copy link
Copy Markdown

@kodareef5 kodareef5 commented Mar 22, 2026

ap_escape_path_segment, ap_os_escape_path, and ap_escape_urlencoded in server/util.c allocate output buffers using 3 * strlen(input) + constant without checking for integer overflow. On platforms where size_t is 32-bit, inputs exceeding ~1.33GB cause the multiplication to wrap, resulting in undersized allocation.

The HTML escape function ap_escape_html2 in the same file already has overflow protection at line 2148:

if (i + j > APR_SIZE_MAX - 6) {
    abort();
}

This applies the same pattern to the three URL escape functions for consistency. Each now checks len > (APR_SIZE_MAX - constant) / 3 before the multiplication, calling abort() on overflow.

@notroj
Copy link
Copy Markdown
Collaborator

notroj commented Apr 8, 2026

IMO using ap_assert() is better for these cases, it ends in abort() after logging something relevant.

@kodareef5 kodareef5 force-pushed the fix-url-escape-overflow branch from 7076612 to dbd1485 Compare April 8, 2026 17:57
@kodareef5
Copy link
Copy Markdown
Author

kodareef5 commented Apr 8, 2026

Good call, updated to use ap_assert() -- switched all four checks from if/abort() to ap_assert(len <= ...).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kodareef5 @notroj