@@ -239,7 +239,9 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
239239 * are constanting allocing space and copying
240240 * strings.
241241 */
242- if (vb .strlen + len + replen > cfg -> max_line_length )
242+ if (vb .strlen > cfg -> max_line_length
243+ || len > cfg -> max_line_length - vb .strlen
244+ || replen > cfg -> max_line_length - vb .strlen - len )
243245 return APR_ENOMEM ;
244246 ap_varbuf_strmemcat (& vb , buff , len );
245247 ap_varbuf_strmemcat (& vb , replacement , replen );
@@ -251,7 +253,7 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
251253 * Check if we still have space for this string and
252254 * the replacement string.
253255 */
254- if (space_left < len + replen )
256+ if (len > space_left || replen > space_left - len )
255257 return APR_ENOMEM ;
256258 space_left -= len + replen ;
257259 /*
@@ -338,7 +340,8 @@ static apr_status_t do_pattmatch(ap_filter_t *f, apr_bucket *inb,
338340 /* Note that the last param in ap_varbuf_regsub below
339341 * must stay positive. If it gets 0, it would mean
340342 * unlimited space available. */
341- if (vb .strlen + regm [0 ].rm_so >= cfg -> max_line_length )
343+ if (vb .strlen >= cfg -> max_line_length
344+ || (apr_size_t )regm [0 ].rm_so > cfg -> max_line_length - vb .strlen )
342345 return APR_ENOMEM ;
343346 /* copy bytes before the match */
344347 if (regm [0 ].rm_so > 0 )
0 commit comments