Mercurial > hg > nginx-quic
comparison src/http/v3/ngx_http_v3_parse.c @ 7958:2576485b93d4 quic
HTTP/3: fixed overflow in prefixed integer parser.
Previously, the expression (ch & 0x7f) was promoted to a signed integer.
Depending on the platform, the size of this integer could be less than 8 bytes,
leading to overflow when handling the higher bits of the result. Also, sign
bit of this integer could be replicated when adding to the 64-bit st->value.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Fri, 03 Jul 2020 16:41:31 +0300 |
| parents | 153bffee3d7e |
| children | fdb8edc8e496 |
comparison
equal
deleted
inserted
replaced
| 7957:153bffee3d7e | 7958:2576485b93d4 |
|---|---|
| 116 st->state = sw_value; | 116 st->state = sw_value; |
| 117 break; | 117 break; |
| 118 | 118 |
| 119 case sw_value: | 119 case sw_value: |
| 120 | 120 |
| 121 st->value += (ch & 0x7f) << st->shift; | 121 st->value += (uint64_t) (ch & 0x7f) << st->shift; |
| 122 if (ch & 0x80) { | 122 if (ch & 0x80) { |
| 123 st->shift += 7; | 123 st->shift += 7; |
| 124 break; | 124 break; |
| 125 } | 125 } |
| 126 | 126 |