Blame SOURCES/httpd-2.4.6-CVE-2014-0226.patch

331623
Index: server/scoreboard.c
331623
===================================================================
331623
--- a/server/scoreboard.c	(revision 1610498)
331623
+++ b/server/scoreboard.c	(revision 1610499)
331623
@@ -579,6 +579,21 @@
331623
                                                  sbh->thread_num);
331623
 }
331623
 
331623
+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, 
331623
+                                           int child_num,
331623
+                                           int thread_num)
331623
+{
331623
+    worker_score *ws = ap_get_scoreboard_worker_from_indexes(child_num, thread_num);
331623
+
331623
+    memcpy(dest, ws, sizeof *ws);
331623
+
331623
+    /* For extra safety, NUL-terminate the strings returned, though it
331623
+     * should be true those last bytes are always zero anyway. */
331623
+    dest->client[sizeof(dest->client) - 1] = '\0';
331623
+    dest->request[sizeof(dest->request) - 1] = '\0';
331623
+    dest->vhost[sizeof(dest->vhost) - 1] = '\0';
331623
+}
331623
+
331623
 AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
331623
 {
331623
     if ((x < 0) || (x >= server_limit)) {
331623
Index: modules/generators/mod_status.c
331623
===================================================================
331623
--- a/modules/generators/mod_status.c	(revision 1610498)
331623
+++ b/modules/generators/mod_status.c	(revision 1610499)
331623
@@ -194,7 +194,7 @@
331623
     long req_time;
331623
     int short_report;
331623
     int no_table_report;
331623
-    worker_score *ws_record;
331623
+    worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);
331623
     process_score *ps_record;
331623
     char *stat_buffer;
331623
     pid_t *pid_buffer, worker_pid;
331623
@@ -306,7 +306,7 @@
331623
         for (j = 0; j < thread_limit; ++j) {
331623
             int indx = (i * thread_limit) + j;
331623
 
331623
-            ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
331623
+            ap_copy_scoreboard_worker(ws_record, i, j);
331623
             res = ws_record->status;
331623
 
331623
             if ((i >= max_servers || j >= threads_per_child)
331623
@@ -637,7 +637,7 @@
331623
 
331623
         for (i = 0; i < server_limit; ++i) {
331623
             for (j = 0; j < thread_limit; ++j) {
331623
-                ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
331623
+                ap_copy_scoreboard_worker(ws_record, i, j);
331623
 
331623
                 if (ws_record->access_count == 0 &&
331623
                     (ws_record->status == SERVER_READY ||
331623
Index: modules/lua/lua_request.c
331623
===================================================================
331623
--- a/modules/lua/lua_request.c	(revision 1610498)
331623
+++ b/modules/lua/lua_request.c	(revision 1610499)
331623
@@ -1245,16 +1245,22 @@
331623
  */
331623
 static int lua_ap_scoreboard_worker(lua_State *L)
331623
 {
331623
-    int i,
331623
-        j;
331623
-    worker_score   *ws_record;
331623
+    int i, j;
331623
+    worker_score *ws_record = NULL;
331623
+    request_rec *r = NULL;
331623
 
331623
     luaL_checktype(L, 1, LUA_TUSERDATA);
331623
     luaL_checktype(L, 2, LUA_TNUMBER);
331623
     luaL_checktype(L, 3, LUA_TNUMBER);
331623
+
331623
+    r = ap_lua_check_request_rec(L, 1);
331623
+    if (!r) return 0;
331623
+
331623
     i = lua_tointeger(L, 2);
331623
     j = lua_tointeger(L, 3);
331623
-    ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
331623
+    ws_record = apr_palloc(r->pool, sizeof *ws_record);
331623
+
331623
+    ap_copy_scoreboard_worker(ws_record, i, j);
331623
     if (ws_record) {
331623
         lua_newtable(L);
331623
 
331623
Index: include/scoreboard.h
331623
===================================================================
331623
--- a/include/scoreboard.h	(revision 1610498)
331623
+++ b/include/scoreboard.h	(revision 1610499)
331623
@@ -183,8 +183,25 @@
331623
 AP_DECLARE(void) ap_time_process_request(ap_sb_handle_t *sbh, int status);
331623
 
331623
 AP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh);
331623
+
331623
+/** Return a pointer to the worker_score for a given child, thread pair.
331623
+ * @param child_num The child number.
331623
+ * @param thread_num The thread number.
331623
+ * @return A pointer to the worker_score structure.
331623
+ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. */
331623
 AP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int child_num,
331623
                                                                 int thread_num);
331623
+
331623
+/** Copy the contents of a worker scoreboard entry.  The contents of
331623
+ * the worker_score structure are copied verbatim into the dest
331623
+ * structure.
331623
+ * @param dest Output parameter.
331623
+ * @param child_num The child number.
331623
+ * @param thread_num The thread number.
331623
+ */
331623
+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
331623
+                                           int child_num, int thread_num);
331623
+
331623
 AP_DECLARE(process_score *) ap_get_scoreboard_process(int x);
331623
 AP_DECLARE(global_score *) ap_get_scoreboard_global(void);
331623
 
331623