!62 fix Integer overflow in ap_timeout_parameter_parse

From: @eaglegai
Reviewed-by: @zengwefeng
Signed-off-by: @zengwefeng

backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch

@@ -0,0 +1,74 @@
+From 9226cbc6b92492615856b567ac7f7557f196634b Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <jailletc36@apache.org>
+Date: Tue, 10 Aug 2021 18:49:20 +0000
+Subject: [PATCH] Follow up to 1892038, 1892063.
+
+Improve fix to please a fuzzer which reports:
+   util.c:2713:26: runtime error: signed integer overflow:
+   9999999999999999 * 1000 cannot be represented in type 'long'
+
+Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.
+
+While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892185 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/server/util.c b/server/util.c
+index 4a35eac6b0c..d87417f7621 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2668,6 +2668,7 @@ AP_DECLARE(char *) ap_append_pid(apr_pool_t *p, const char *string,
+  * in timeout_parameter.
+  * @return Status value indicating whether the parsing was successful or not.
+  */
++#define CHECK_OVERFLOW(a, b) if (a > b) return APR_ERANGE
+ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+                                                const char *timeout_parameter,
+                                                apr_interval_time_t *timeout,
+@@ -2697,10 +2698,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     switch (*time_str) {
+         /* Time is in seconds */
+     case 's':
++        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
+         check = apr_time_from_sec(tout);
+         break;
++        /* Time is in hours */
+     case 'h':
+-        /* Time is in hours */
++        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
+         check = apr_time_from_sec(tout * 3600);
+         break;
+     case 'm':
+@@ -2710,10 +2713,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         switch (*(++time_str)) {
+         /* Time is in milliseconds */
+         case 's':
+-            check = tout * 1000;
++            CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
++            check = apr_time_from_msec(tout);
+             break;
+         /* Time is in minutes */
+         case 'i':
++            CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
+             check = apr_time_from_sec(tout * 60);
+             break;
+         default:
+@@ -2724,12 +2729,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     default:
+         return APR_EGENERAL;
+     }
+-    if (check > APR_INT64_MAX || check < 0) { 
+-        return APR_ERANGE;
+-    }
+-    *timeout = (apr_interval_time_t) check;
++
++    *timeout = (apr_interval_time_t)check;
+     return APR_SUCCESS;
+ }
++#undef CHECK_OVERFLOW
+ 
+ AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
+ {

backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch

@@ -0,0 +1,71 @@
+From 7ea44d0402334e40f31730d889c5ad60e158692d Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Fri, 6 Aug 2021 13:10:45 +0000
+Subject: [PATCH] fix int overflow in ap_timeout_parameter_parse
+
+signed integer overflow in ap_timeout_parameter_parse under fuzzing
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892038 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/server/util.c b/server/util.c
+index 2d7708ae851..6f9dbd4d657 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2676,6 +2676,7 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     char *endp;
+     const char *time_str;
+     apr_int64_t tout;
++    apr_uint64_t check;
+ 
+     tout = apr_strtoi64(timeout_parameter, &endp, 10);
+     if (errno) {
+@@ -2688,14 +2689,18 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         time_str = endp;
+     }
+ 
++    if (tout < 0) { 
++        return APR_ERANGE;
++    }
++
+     switch (*time_str) {
+         /* Time is in seconds */
+     case 's':
+-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout);
++        check = apr_time_from_sec(tout);
+         break;
+     case 'h':
+         /* Time is in hours */
+-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600);
++        check = apr_time_from_sec(tout * 3600);
+         break;
+     case 'm':
+         switch (*(++time_str)) {
+@@ -2705,11 +2710,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         switch (*(++time_str)) {
+         /* Time is in milliseconds */
+         case 's':
+-            *timeout = (apr_interval_time_t) tout * 1000;
++            check = tout * 1000;
+             break;
+         /* Time is in minutes */
+         case 'i':
+-            *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60);
++            check = apr_time_from_sec(tout * 60);
+             break;
+         default:
+             return APR_EGENERAL;
+@@ -2719,6 +2724,10 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     default:
+         return APR_EGENERAL;
+     }
++    if (check > APR_INT64_MAX || check < 0) { 
++        return APR_ERANGE;
++    }
++    *timeout = (apr_interval_time_t) check;
+     return APR_SUCCESS;
+ }
+ 

httpd.spec

@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.48
-Release:          3
+Release:          4
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -77,6 +77,8 @@ Patch24:          backport-003-CVE-2021-40438.patch
 Patch25:          backport-004-CVE-2021-40438.patch
 Patch26:          backport-001-CVE-2021-39275.patch
 Patch27:          backport-002-CVE-2021-39275.patch
+Patch28:          backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
+Patch29:          backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -509,6 +511,13 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Nov 05 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-4
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:fix int overflow in ap_timeout_parameter_parse
+       Improve fix to please a fuzzer int overflow
+
 * Wed Sep 29 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-3
 - Type:cves
 - ID:CVE-2021-40438 CVE-2021-39275