apache · SABITHSAHEB · Jun 14, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
diff --git a/modules/dav/main/ms_wdv.c b/modules/dav/main/ms_wdv.c
@@ -91,7 +91,14 @@ static const char *mswdv_urlencode(request_rec *r, const char *str)
     char *output;
     char *op;
 
-    output = apr_palloc(r->pool, 3 * strlen(str) + 1);
+    apr_size_t slen = strlen(str);
+    if (slen > (APR_SIZE_MAX - 1) / 3) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "mswdv_urlencode: input length too large (%zu), rejecting to avoid allocation overflow",
+                      (size_t)slen);
+        return "";
+    }
+    output = apr_palloc(r->pool, 3 * slen + 1);
     op = output;
 
     for (ip = str; *ip; ip++) {

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
@@ -722,7 +722,14 @@ static char *escape_backref(apr_pool_t *p, const char *path,
                             const char *escapeme, const char *noescapeme,
                             int flags)
 {
-    char *copy = apr_palloc(p, 3 * strlen(path) + 1);
+    apr_size_t plen = strlen(path);
+    if (plen > (APR_SIZE_MAX - 1) / 3) {
+        ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                      "escape_backref: input length too large (%zu), rejecting to avoid allocation overflow",
+                      (size_t)plen);
+        return apr_pstrdup(p, "");
+    }
+    char *copy = apr_palloc(p, 3 * plen + 1);
     const unsigned char *s = (const unsigned char *)path;
     unsigned char *d = (unsigned char *)copy;
     int noplus = (flags & RULEFLAG_ESCAPENOPLUS) != 0;

diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
@@ -147,7 +147,14 @@ static const char *ftp_escape_globbingchars(apr_pool_t *p, const char *path, pro
         return path;
     }
 
-    ret = apr_palloc(p, 2*strlen(path)+sizeof(""));
+    apr_size_t plen = strlen(path);
+    if (plen > (APR_SIZE_MAX - sizeof("")) / 2) {
+        ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                      "ftp_escape_globbingchars: input length too large (%zu), rejecting to avoid allocation overflow",
+                      (size_t)plen);
+        return apr_pstrdup(p, path);
+    }
+    ret = apr_palloc(p, 2 * plen + sizeof(""));
     for (d = ret; *path; ++path) {
         if (strchr(FTP_GLOBBING_CHARS, *path) != NULL)
             *d++ = '\\';

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
@@ -262,6 +262,12 @@ PROXY_DECLARE(char *)ap_proxy_canonenc_ex(apr_pool_t *p, const char *x, int len,
         reserved = "";
     }
 
+    if (len > (APR_SIZE_MAX - 1) / 3) {
+        ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                      "ap_proxy_canonenc_ex: input length too large (%d), rejecting to avoid allocation overflow",
+                      len);
+        return NULL;
+    }
     y = apr_palloc(p, 3 * len + 1);
 
     for (i = 0, j = 0; i < len; i++, j++) {
@@ -1093,7 +1099,54 @@ PROXY_DECLARE(const char *) ap_proxy_cookie_reverse_map(request_rec *r,
     }
 
     if (newpath) {
-        ret = apr_palloc(r->pool, len + pdiff + ddiff + 1);
+        /* Compute required size safely, checking for overflow/underflow. */
+        apr_size_t need = (apr_size_t)len;
+        if (pdiff >= 0) {
+            if ((apr_size_t)pdiff > APR_SIZE_MAX - need) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "ap_proxy_cookie: pdiff too large, rejecting to avoid allocation overflow (len=%zu, pdiff=%d)",
+                              (size_t)len, pdiff);
+                return NULL;
+            }
+            need += (apr_size_t)pdiff;
+        }
+        else {
+            apr_size_t neg = (apr_size_t)(-pdiff);
+            if (neg > need) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "ap_proxy_cookie: pdiff underflow, rejecting (len=%zu, pdiff=%d)",
+                              (size_t)len, pdiff);
+                return NULL;
+            }
+            need -= neg;
+        }
+        if (ddiff >= 0) {
+            if ((apr_size_t)ddiff > APR_SIZE_MAX - need) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "ap_proxy_cookie: ddiff too large, rejecting to avoid allocation overflow (len=%zu, ddiff=%d)",
+                              (size_t)len, ddiff);
+                return NULL;
+            }
+            need += (apr_size_t)ddiff;
+        }
+        else {
+            apr_size_t neg = (apr_size_t)(-ddiff);
+            if (neg > need) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "ap_proxy_cookie: ddiff underflow, rejecting (len=%zu, ddiff=%d)",
+                              (size_t)len, ddiff);
+                return NULL;
+            }
+            need -= neg;
+        }
+        if (need > APR_SIZE_MAX - 1) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "ap_proxy_cookie: required allocation too large (need=%zu), rejecting",
+                          (size_t)need);
+            return NULL;
+        }
+        need += 1; /* for trailing NUL */
+        ret = apr_palloc(r->pool, need);
         l1 = strlen(newpath);
         if (newdomain) {
             l2 = strlen(newdomain);
@@ -1119,7 +1172,35 @@ PROXY_DECLARE(const char *) ap_proxy_cookie_reverse_map(request_rec *r,
         }
     }
     else if (newdomain) {
-            ret = apr_palloc(r->pool, len + ddiff + 1);
+            /* Compute required size safely for len + ddiff + 1 */
+            apr_size_t need = (apr_size_t)len;
+            if (ddiff >= 0) {
+                if ((apr_size_t)ddiff > APR_SIZE_MAX - need) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                  "ap_proxy_cookie: ddiff too large, rejecting to avoid allocation overflow (len=%zu, ddiff=%d)",
+                                  (size_t)len, ddiff);
+                    return NULL;
+                }
+                need += (apr_size_t)ddiff;
+            }
+            else {
+                apr_size_t neg = (apr_size_t)(-ddiff);
+                if (neg > need) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                  "ap_proxy_cookie: ddiff underflow, rejecting (len=%zu, ddiff=%d)",
+                                  (size_t)len, ddiff);
+                    return NULL;
+                }
+                need -= neg;
+            }
+            if (need > APR_SIZE_MAX - 1) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "ap_proxy_cookie: required allocation too large (need=%zu), rejecting",
+                              (size_t)need);
+                return NULL;
+            }
+            need += 1;
+            ret = apr_palloc(r->pool, need);
             l2 = strlen(newdomain);
             memcpy(ret, str, doffs);
             memcpy(ret + doffs, newdomain, l2);

diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
@@ -1055,39 +1055,91 @@ static const char *ssl_var_lookup_ssl_clienthello(apr_pool_t *p, const SSLConnRe
     if (strEQ(var, "VERSION")) {
         return apr_psprintf(p, "%04x", (uint16_t) clienthello_vars->version);
     }
-    else if (strEQ(var, "CIPHERS") && (clienthello_vars->ciphers_len > 0)) {
-        value = apr_palloc(p, clienthello_vars->ciphers_len * 2 + 1);
+    if (strEQ(var, "CIPHERS") && (clienthello_vars->ciphers_len > 0)) {
+        apr_size_t n = clienthello_vars->ciphers_len;
+        if (n > (APR_SIZE_MAX - 1) / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: ciphers_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
+        value = apr_palloc(p, n * 2 + 1);
         ap_bin2hex(clienthello_vars->ciphers_data, clienthello_vars->ciphers_len, value);
         return value;
     }
     else if (strEQ(var, "EXTENSIONS") && (clienthello_vars->extids_len > 0)) {
-        value = apr_palloc(p, clienthello_vars->extids_len * 4 + 1);
+        apr_size_t n = clienthello_vars->extids_len;
+        if (n > (APR_SIZE_MAX - 1) / 4) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: extids_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
+        value = apr_palloc(p, n * 4 + 1);
         for (i = 0; i < clienthello_vars->extids_len; i++) {
             apr_snprintf(value + i * 4, 5, "%04x", (uint16_t) clienthello_vars->extids_data[i]);
         }
         return value;
     }
     else if (strEQ(var, "GROUPS") && (clienthello_vars->ecgroups_len > 2)) {
+        apr_size_t n = clienthello_vars->ecgroups_len;
+        /* required = 2*n + 1 - 2 = 2*n - 1 */
+        if (n > (APR_SIZE_MAX + 1) / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: ecgroups_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
         value = apr_palloc(p, clienthello_vars->ecgroups_len * 2 + 1 - 2);
         ap_bin2hex(clienthello_vars->ecgroups_data + 2, clienthello_vars->ecgroups_len - 2, value);
         return value;
     }
     else if (strEQ(var, "EC_FORMATS") && (clienthello_vars->ecformats_len > 1)) {
+        apr_size_t n = clienthello_vars->ecformats_len;
+        /* required = 2*n + 1 - 1 = 2*n */
+        if (n > APR_SIZE_MAX / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: ecformats_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
         value = apr_palloc(p, clienthello_vars->ecformats_len * 2 + 1 - 1);
         ap_bin2hex(clienthello_vars->ecformats_data + 1, clienthello_vars->ecformats_len - 1, value);
         return value;
     }
     else if (strEQ(var, "SIG_ALGOS") && (clienthello_vars->sigalgos_len > 2)) {
+        apr_size_t n = clienthello_vars->sigalgos_len;
+        /* required = 2*n + 1 - 2 = 2*n -1 */
+        if (n > (APR_SIZE_MAX + 1) / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: sigalgos_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
         value = apr_palloc(p, clienthello_vars->sigalgos_len * 2 + 1 - 2);
         ap_bin2hex(clienthello_vars->sigalgos_data + 2, clienthello_vars->sigalgos_len - 2, value);
         return value;
     }
     else if (strEQ(var, "ALPN") && (clienthello_vars->alpn_len > 2)) {
+        apr_size_t n = clienthello_vars->alpn_len;
+        if (n > (APR_SIZE_MAX + 1) / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: alpn_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
         value = apr_palloc(p, clienthello_vars->alpn_len * 2 + 1 - 2);
         ap_bin2hex(clienthello_vars->alpn_data + 2, clienthello_vars->alpn_len - 2, value);
         return value;
     }
     else if (strEQ(var, "VERSIONS") && (clienthello_vars->versions_len > 1)) {
+        apr_size_t n = clienthello_vars->versions_len;
+        if (n > APR_SIZE_MAX / 2) {
+            ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
+                          "ssl_var_lookup_ssl_clienthello: versions_len too large (%zu), rejecting to avoid allocation overflow",
+                          (size_t)n);
+            return NULL;
+        }
         value = apr_palloc(p, clienthello_vars->versions_len * 2 + 1 - 1);
         ap_bin2hex(clienthello_vars->versions_data + 1, clienthello_vars->versions_len - 1, value);
         return value;