From eccf65f1d280123d32543f7fd54b2d6ef7c1e692 Mon Sep 17 00:00:00 2001
From: Ivan Zhakov <ivan@apache.org>
Date: Tue, 24 Sep 2024 06:26:21 +0000
Subject: [PATCH] apr_proc_create(): Check that progname argument is quoted
 correctly if it's quoted on Windows.

git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1920871 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                 |  3 +++
 test/testproc.c         | 30 ++++++++++++++++++++++++++++++
 threadproc/win32/proc.c | 11 ++++++++++-
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a6f190bf55..4731b738c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -297,6 +297,9 @@ Changes for APR 2.0.0
   *) apr_proc_create(): Fix potential handle leak when apr_proc_create() is used
      from multiple threads on Windows [Ivan Zhakov]
 
+  *) apr_proc_create(): Check that progname argument is quoted correctly if
+     it's quoted on Windows. [Ivan Zhakov]
+
 Changes for APR and APR-util 1.7.x and later:
 
   *) http://svn.apache.org/viewvc/apr/apr/branches/1.7.x/CHANGES?view=markup
diff --git a/test/testproc.c b/test/testproc.c
index 57bb7bee1c..9a134142fa 100644
--- a/test/testproc.c
+++ b/test/testproc.c
@@ -300,6 +300,34 @@ static void test_proc_args_winbatch(abts_case* tc, void* data)
     ABTS_STR_EQUAL(tc, expected, actual);
 }
 
+#ifdef WIN32
+static void test_proc_unclosed_quote1(abts_case *tc, void *data)
+{
+    apr_procattr_t *attr;
+    apr_status_t rv;
+    const char *args[] = { NULL };
+
+    rv = apr_procattr_create(&attr, p);
+    ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
+
+    rv = apr_proc_create(&newproc, "\"", args, NULL, attr, p);
+    ABTS_INT_EQUAL(tc, APR_EINVAL, rv);
+}
+
+static void test_proc_unclosed_quote2(abts_case *tc, void *data)
+{
+    apr_procattr_t *attr;
+    apr_status_t rv;
+    const char *args[] = { NULL };
+
+    rv = apr_procattr_create(&attr, p);
+    ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
+
+    rv = apr_proc_create(&newproc, "\"abc", args, NULL, attr, p);
+    ABTS_INT_EQUAL(tc, APR_EINVAL, rv);
+}
+#endif
+
 abts_suite *testproc(abts_suite *suite)
 {
     suite = ADD_SUITE(suite)
@@ -311,6 +339,8 @@ abts_suite *testproc(abts_suite *suite)
     abts_run_test(suite, test_proc_args, NULL);
 #ifdef WIN32
     abts_run_test(suite, test_proc_args_winbatch, NULL);
+    abts_run_test(suite, test_proc_unclosed_quote1, NULL);
+    abts_run_test(suite, test_proc_unclosed_quote2, NULL);
 #endif
 
     return suite;
diff --git a/threadproc/win32/proc.c b/threadproc/win32/proc.c
index 3d12f6e325..65037702da 100644
--- a/threadproc/win32/proc.c
+++ b/threadproc/win32/proc.c
@@ -509,7 +509,16 @@ APR_DECLARE(apr_status_t) apr_proc_create(apr_proc_t *new,
      * XXX progname must be NULL if this is a 16 bit app running in WOW
      */
     if (progname[0] == '\"') {
-        progname = apr_pstrmemdup(pool, progname + 1, strlen(progname) - 2);
+        size_t progname_len = strlen(progname);
+        if (progname_len < 2) {
+            return APR_EINVAL;
+        }
+
+        if (progname[progname_len - 1] != '\"') {
+            return APR_EINVAL;
+        }
+
+        progname = apr_pstrmemdup(pool, progname + 1, progname_len - 2);
     }
 
     if (attr->cmdtype == APR_PROGRAM || attr->cmdtype == APR_PROGRAM_ENV) {