From 09b90e82ba37bf6dbaa6f2a47aa151d940899c7d Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Sat, 18 Apr 2026 23:51:52 +0530
Subject: [PATCH] fix overflow in allocation size calculation in
 apreq_param_make

---
 server/apreq_param.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/apreq_param.c b/server/apreq_param.c
index 83e185b595a..1ba3fa8e885 100644
--- a/server/apreq_param.c
+++ b/server/apreq_param.c
@@ -34,8 +34,18 @@ APREQ_DECLARE(apreq_param_t *) apreq_param_make(apr_pool_t *p,
 {
     apreq_param_t *param;
     apreq_value_t *v;
+    apr_size_t size;
 
-    param = apr_palloc(p, nlen + vlen + 1 + sizeof *param);
+    /* Check for overflow in size computation */
+    if (nlen > APR_SIZE_MAX - vlen)
+        return NULL;
+
+    size = nlen + vlen;
+    if (size > APR_SIZE_MAX - sizeof(*param) - 1)
+        return NULL;
+
+    size += sizeof(*param) + 1;
+    param = apr_palloc(p, size);
 
     if (param == NULL)
         return NULL;