Merge r1198940 from trunk resp. r1227280 from 2.2.x:

     PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,

     Eric Covener, <lowprio20 gmail.com>]

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)

     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module

     is enabled, could allow local users to gain privileges via a .htaccess

     file. [Stefan Fritsch, Greg Ames]

Changes with Apache 2.0.64

  *) SECURITY: CVE-2010-1452 (cve.mitre.org)

            More eyes welcome.

     jim: not a showstopper, imo

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)

     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module

     is enabled, could allow local users to gain privileges via a .htaccess

     file. [Stefan Fritsch, Greg Ames]

     From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280

       +1: gregames, wrowe, trawick

  *) SECURITY: CVE-2011-4317 (cve.mitre.org)

     Resolve additional cases of URL rewriting with ProxyPassMatch or

     RewriteRule, where particular request-URIs could result in undesired

#define IS_SLASH(s) (s == '/')

#endif

/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */

#define UTIL_SIZE_MAX (~((apr_size_t)0))

/*

 * Examine a field value (such as a media-/content-type) string and return

    char *dest, *dst;

    char c;

    size_t no;

    int len;

    apr_size_t len;

    if (!source)

        return NULL;

            len++;

        }

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {

            if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {

                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,

                             "integer overflow or out of memory condition." );

                return NULL;

            }

            len += pmatch[no].rm_eo - pmatch[no].rm_so;

        }