Add integer overflow check to ap_escape_shell_cmd()

kodareef5 · kodareef5 · commit 7076612eb185 · 2026-03-23T12:36:59.000Z
ap_escape_shell_cmd at line 1820 computes 2 * strlen(str) + 1
without checking for overflow. Same pattern as the URL escape
functions fixed in the previous commit. Add (APR_SIZE_MAX - 1) / 2
guard, consistent with ap_escape_html2's overflow protection.
diff --git a/server/util.c b/server/util.c
@@ -1816,8 +1816,12 @@ AP_DECLARE(char *) ap_escape_shell_cmd(apr_pool_t *p, const char *str)
     char *cmd;
     unsigned char *d;
     const unsigned char *s;
+    apr_size_t len = strlen(str);
 
-    cmd = apr_palloc(p, 2 * strlen(str) + 1);        /* Be safe */
+    if (len > (APR_SIZE_MAX - 1) / 2) {
+        abort();
+    }
+    cmd = apr_palloc(p, 2 * len + 1);
     d = (unsigned char *)cmd;
     s = (const unsigned char *)str;
     for (; *s; ++s) {
