waitio: Fix timeout integer overflow

Alejandro Perez Pestana · Alejandro Perez Pestana · commit 93c01bdaae7b · 2025-02-03T00:12:15.000Z
Fix integer overflow in apr_wait_for_io_or_timeout by performing the microseconds to milliseconds conversion before assigning to 32-bit timeout.
diff --git a/support/unix/waitio.c b/support/unix/waitio.c
@@ -36,19 +36,29 @@
 #include <sys/poll.h>
 #endif
 
+/* convert microseconds to milliseconds (round up) */
+#define USEC_TO_MSEC(t) ((t) > 0 ? ((t) + 999) / 1000 : (t))
+
 apr_status_t apr_wait_for_io_or_timeout(apr_file_t *f, apr_socket_t *s,
                                         int for_read)
 {
     struct pollfd pfd;
+    apr_interval_time_t raw_timeout;
     int rc, timeout;
 
-    timeout    = f        ? f->timeout        : s->timeout;
+    raw_timeout = f ? f->timeout : s->timeout;
+
+    if (raw_timeout > ((apr_interval_time_t)INT_MAX)  * 1000) {
+        /* timeout value exceeds maximum allowed (~25 days in microseconds)
+        * capping to INT_MAX milliseconds to avoid overflow */
+        timeout = INT_MAX;
+    } else {
+        timeout = USEC_TO_MSEC(raw_timeout);
+    }
+
     pfd.fd     = f        ? f->filedes        : s->socketdes;
     pfd.events = for_read ? POLLIN            : POLLOUT;
 
-    if (timeout > 0) {
-        timeout = (timeout + 999) / 1000;
-    }
     do {
         rc = poll(&pfd, 1, timeout);
     } while (rc == -1 && errno == EINTR);
