test/teststr.c contains: 292 /* random-ish checks for strfsize buffer overflows */ 293 static void overflow_strfsize(abts_case *tc, void *data) 294 { 295 apr_off_t off; 296 char buf[7]; 297 298 buf[5] = '$'; 299 buf[6] = '@'; 300 301 for (off = -9999; off < 20000; off++) { 302 apr_strfsize(off, buf); 303 } 304 for (; off < 9999999; off += 9) { 305 apr_strfsize(off, buf); 306 } 307 for (; off < 999999999; off += 999) { 308 apr_strfsize(off, buf); 309 } 310 for (off = 1; off < LONG_MAX && off > 0; off *= 2) { 311 apr_strfsize(off, buf); 312 apr_strfsize(off + 1, buf); 313 apr_strfsize(off - 1, buf); 314 } 315 316 ABTS_ASSERT(tc, "strfsize overflowed", buf[5] == '$'); 317 ABTS_ASSERT(tc, "strfsize overflowed", buf[6] == '@'); 318 } The loop at 310 triggers undefined behavior because off is signed, so the overflow triggers undefined behavior.
Created attachment 1387932 [details] Patch used for fix