Merge pull request owasp-modsecurity#3099 from twouters/bugfix/3082

airween · web-flow · commit 788c36d34360 · 2024-03-03T19:10:19.000+01:00
Fix possible segfault in collection_unpack
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,8 @@
 DD mmm YYYY - 2.9.x (to be released)
 -------------------
 
+ * Fix possible segfault in collection_unpack
+   [Issue #3072 - @twouters]
  * Set the minimum security protocol version for SecRemoteRules
    [Issue security/code-scanning/2 - @airween]
  * Allow lua version 5.4
diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
@@ -59,15 +59,15 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob
         }
 
         blob_offset += 2;
-        if (blob_offset + var->name_len > blob_size) return NULL;
+        if (var->name_len < 1 || blob_offset + var->name_len > blob_size) return NULL;
         var->name = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->name_len - 1);
         blob_offset += var->name_len;
         var->name_len--;
 
         var->value_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
         blob_offset += 2;
 
-        if (blob_offset + var->value_len > blob_size) return NULL;
+        if (var->value_len < 1 || blob_offset + var->value_len > blob_size) return NULL;
         var->value = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->value_len - 1);
         blob_offset += var->value_len;
         var->value_len--;
