From fae704b9c5ba0782dff3669fc25ce29c4c3f85d0 Mon Sep 17 00:00:00 2001
From: orange-snn <songnannan2@huawei.com>
Date: Wed, 29 Dec 2021 09:31:27 +0800
Subject: [PATCH] sync from master

---
 backport-CVE-2021-44790.patch                 | 29 +++++++
 ...ease-a-fuzzer-which-reports-overflow.patch | 75 +++++++++++++++++++
 ...erflow-in-ap_timeout_parameter_parse.patch | 72 ++++++++++++++++++
 httpd.spec                                    | 17 ++++-
 4 files changed, 192 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-44790.patch
 create mode 100644 backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
 create mode 100644 backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch

diff --git a/backport-CVE-2021-44790.patch b/backport-CVE-2021-44790.patch
new file mode 100644
index 0000000..44cd994
--- /dev/null
+++ b/backport-CVE-2021-44790.patch
@@ -0,0 +1,29 @@
+From 07b9768cef6a224d256358c404c6ed5622d8acce Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Thu, 16 Dec 2021 11:15:47 +0000
+Subject: [PATCH] Merge r1895970 from trunk:
+
+  *) mod_lua: Improve error handling
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/lua/lua_request.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index 67ff432..493b2bb 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L)
+             if (end == NULL) break;
+             key = (char *) apr_pcalloc(r->pool, 256);
+             filename = (char *) apr_pcalloc(r->pool, 256);
++            if (end - crlf <= 8) break;
+             vlen = end - crlf - 8;
+             buffer = (char *) apr_pcalloc(r->pool, vlen+1);
+             memcpy(buffer, crlf + 4, vlen);
+-- 
+1.8.3.1
+
diff --git a/backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch b/backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
new file mode 100644
index 0000000..98a77b3
--- /dev/null
+++ b/backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
@@ -0,0 +1,75 @@
+From 9226cbc6b92492615856b567ac7f7557f196634b Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <jailletc36@apache.org>
+Date: Tue, 10 Aug 2021 18:49:20 +0000
+Subject: [PATCH] Follow up to 1892038, 1892063.
+
+Improve fix to please a fuzzer which reports:
+   util.c:2713:26: runtime error: signed integer overflow:
+   9999999999999999 * 1000 cannot be represented in type 'long'
+
+Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.
+
+While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892185 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/server/util.c b/server/util.c
+index 4a35eac6b0c..d87417f7621 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2668,6 +2668,7 @@ AP_DECLARE(char *) ap_append_pid(apr_pool_t *p, const char *string,
+  * in timeout_parameter.
+  * @return Status value indicating whether the parsing was successful or not.
+  */
++#define CHECK_OVERFLOW(a, b) if (a > b) return APR_ERANGE
+ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+                                                const char *timeout_parameter,
+                                                apr_interval_time_t *timeout,
+@@ -2697,10 +2698,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     switch (*time_str) {
+         /* Time is in seconds */
+     case 's':
++        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
+         check = apr_time_from_sec(tout);
+         break;
++        /* Time is in hours */
+     case 'h':
+-        /* Time is in hours */
++        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
+         check = apr_time_from_sec(tout * 3600);
+         break;
+     case 'm':
+@@ -2710,10 +2713,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         switch (*(++time_str)) {
+         /* Time is in milliseconds */
+         case 's':
+-            check = tout * 1000;
++            CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
++            check = apr_time_from_msec(tout);
+             break;
+         /* Time is in minutes */
+         case 'i':
++            CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
+             check = apr_time_from_sec(tout * 60);
+             break;
+         default:
+@@ -2724,12 +2729,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     default:
+         return APR_EGENERAL;
+     }
+-    if (check > APR_INT64_MAX || check < 0) { 
+-        return APR_ERANGE;
+-    }
+-    *timeout = (apr_interval_time_t) check;
++
++    *timeout = (apr_interval_time_t)check;
+     return APR_SUCCESS;
+ }
++#undef CHECK_OVERFLOW
+ 
+ AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
+ {
+
diff --git a/backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch b/backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
new file mode 100644
index 0000000..a0fca76
--- /dev/null
+++ b/backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
@@ -0,0 +1,72 @@
+From 7ea44d0402334e40f31730d889c5ad60e158692d Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Fri, 6 Aug 2021 13:10:45 +0000
+Subject: [PATCH] fix int overflow in ap_timeout_parameter_parse
+
+signed integer overflow in ap_timeout_parameter_parse under fuzzing
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892038 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/server/util.c b/server/util.c
+index 2d7708ae851..6f9dbd4d657 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2676,6 +2676,7 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     char *endp;
+     const char *time_str;
+     apr_int64_t tout;
++    apr_uint64_t check;
+ 
+     tout = apr_strtoi64(timeout_parameter, &endp, 10);
+     if (errno) {
+@@ -2688,14 +2689,18 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         time_str = endp;
+     }
+ 
++    if (tout < 0) { 
++        return APR_ERANGE;
++    }
++
+     switch (*time_str) {
+         /* Time is in seconds */
+     case 's':
+-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout);
++        check = apr_time_from_sec(tout);
+         break;
+     case 'h':
+         /* Time is in hours */
+-        *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600);
++        check = apr_time_from_sec(tout * 3600);
+         break;
+     case 'm':
+         switch (*(++time_str)) {
+@@ -2705,11 +2710,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+         switch (*(++time_str)) {
+         /* Time is in milliseconds */
+         case 's':
+-            *timeout = (apr_interval_time_t) tout * 1000;
++            check = tout * 1000;
+             break;
+         /* Time is in minutes */
+         case 'i':
+-            *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60);
++            check = apr_time_from_sec(tout * 60);
+             break;
+         default:
+             return APR_EGENERAL;
+@@ -2719,6 +2724,10 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
+     default:
+         return APR_EGENERAL;
+     }
++    if (check > APR_INT64_MAX || check < 0) { 
++        return APR_ERANGE;
++    }
++    *timeout = (apr_interval_time_t) check;
+     return APR_SUCCESS;
+ }
+ 
+
diff --git a/httpd.spec b/httpd.spec
index fc60b7a..79ebff9 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.48
-Release:          3
+Release:          5
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -77,6 +77,8 @@ Patch24:          backport-003-CVE-2021-40438.patch
 Patch25:          backport-004-CVE-2021-40438.patch
 Patch26:          backport-001-CVE-2021-39275.patch
 Patch27:          backport-002-CVE-2021-39275.patch
+Patch28:          backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
+Patch29:          backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -509,6 +511,19 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Dec 29 2021 orange-snn <songnannan2@huawei.com> - 2.4.48-5
+- Type:cves
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2021-44224
+
+* Fri Nov 05 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-4
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:fix int overflow in ap_timeout_parameter_parse
+       Improve fix to please a fuzzer int overflow
+
 * Wed Sep 29 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-3
 - Type:cves
 - ID:CVE-2021-40438 CVE-2021-39275
-- 
Gitee