From 9722758dd8ea9500d93b59ef480ae71b02c5c55a Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Sun, 12 Apr 2026 22:42:31 +0200 Subject: [PATCH 1/2] fix: heap buffer overflow in acmp pm --- apache2/acmp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apache2/acmp.c b/apache2/acmp.c index 3691dd12e5..12c91848ba 100644 --- a/apache2/acmp.c +++ b/apache2/acmp.c @@ -514,7 +514,7 @@ apr_status_t acmp_add_pattern(ACMP *parser, const char *pattern, child->pattern = ""; child->letter = letter; child->depth = i; - child->text = apr_pcalloc(parser->pool, strlen(pattern) + 2); + child->text = apr_pcalloc(parser->pool, i + 2); /* ENH: Check alloc succeded */ for (j = 0; j <= i; j++) child->text[j] = pattern[j]; } @@ -522,9 +522,10 @@ apr_status_t acmp_add_pattern(ACMP *parser, const char *pattern, if (child->is_last == 0) { parser->dict_count++; child->is_last = 1; - child->pattern = apr_pcalloc(parser->pool, strlen(pattern) + 2); + child->pattern = apr_pcalloc(parser->pool, length + 1); /* ENH: Check alloc succeded */ - strcpy(child->pattern, pattern); + memcpy(child->pattern, pattern, length); + child->pattern[length] = '\0'; } child->callback = callback; child->callback_data = data; From 86668b01489835c4150ce2cce919e1b866c1ca17 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 20 Apr 2026 19:55:17 +0200 Subject: [PATCH 2/2] Move function into a bracket separated block Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com> --- apache2/acmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apache2/acmp.c b/apache2/acmp.c index 12c91848ba..8e2fe0fc1d 100644 --- a/apache2/acmp.c +++ b/apache2/acmp.c @@ -516,7 +516,9 @@ apr_status_t acmp_add_pattern(ACMP *parser, const char *pattern, child->depth = i; child->text = apr_pcalloc(parser->pool, i + 2); /* ENH: Check alloc succeded */ - for (j = 0; j <= i; j++) child->text[j] = pattern[j]; + for (j = 0; j <= i; j++) { + child->text[j] = pattern[j]; + } } if (i == length - 1) { if (child->is_last == 0) {