Skip to content

fix: heap buffer overflow in acmp pm #3544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
airween wants to merge 2 commits into
base: v3/master
Choose a base branch
from
+4 −3
Open

fix: heap buffer overflow in acmp pm #3544

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5729ae0
fix: heap buffer overflow in acmp pm
airween Apr 12, 2026
66c338e
Remove unnecessary memory allocation
airween Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions src/utils/acmp.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -387,17 +387,18 @@
child->pattern = (char *)"";
child->letter = letter;
child->depth = i;
child->text = (char *)calloc(1, strlen(pattern) + 2);
child->text = (char *)calloc(1, length + 2);

Check failure on line 390 in src/utils/acmp.cc

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Remove this use of "calloc". 


See more on https://sonarcloud.io/project/issues?id=owasp-modsecurity_ModSecurity&issues=AZ2Cs4j1K0fgB4uOo37q&open=AZ2Cs4j1K0fgB4uOo37q&pullRequest=3544
Comment thread
airween marked this conversation as resolved.
Outdated
/* ENH: Check alloc succeded */
for (j = 0; j <= i; j++) child->text[j] = pattern[j];
Copy link
Copy Markdown
Collaborator

@theseion theseion Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for (j = 0; j <= i; j++) child->text[j] = pattern[j];
for (j = 0; j <= i; j++) {
child->text[j] = pattern[j];
}

Copy link
Copy Markdown
Collaborator

@theseion theseion Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use memcpy here as well?

}
if (i == length - 1) {
if (child->is_last == 0) {
parser->dict_count++;
child->is_last = 1;
child->pattern = (char *)calloc(1, strlen(pattern) + 2);
child->pattern = (char *)calloc(1, length + 2);

Check failure on line 398 in src/utils/acmp.cc

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Remove this use of "calloc". 


See more on https://sonarcloud.io/project/issues?id=owasp-modsecurity_ModSecurity&issues=AZ2Cs4j1K0fgB4uOo37r&open=AZ2Cs4j1K0fgB4uOo37r&pullRequest=3544
Comment thread
airween marked this conversation as resolved.
Outdated
/* ENH: Check alloc succeded */
strcpy(child->pattern, pattern);
memcpy(child->pattern, pattern, length);
child->pattern[length] = '\0';
}
child->callback = callback;
child->callback_data = data;
Expand Down
Loading