Mercurial > hg > nginx-quic
comparison src/http/v3/ngx_http_v3_parse.c @ 7958:2576485b93d4 quic
HTTP/3: fixed overflow in prefixed integer parser.
Previously, the expression (ch & 0x7f) was promoted to a signed integer.
Depending on the platform, the size of this integer could be less than 8 bytes,
leading to overflow when handling the higher bits of the result. Also, sign
bit of this integer could be replicated when adding to the 64-bit st->value.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 03 Jul 2020 16:41:31 +0300 |
parents | 153bffee3d7e |
children | fdb8edc8e496 |
comparison
equal
deleted
inserted
replaced
7957:153bffee3d7e | 7958:2576485b93d4 |
---|---|
116 st->state = sw_value; | 116 st->state = sw_value; |
117 break; | 117 break; |
118 | 118 |
119 case sw_value: | 119 case sw_value: |
120 | 120 |
121 st->value += (ch & 0x7f) << st->shift; | 121 st->value += (uint64_t) (ch & 0x7f) << st->shift; |
122 if (ch & 0x80) { | 122 if (ch & 0x80) { |
123 st->shift += 7; | 123 st->shift += 7; |
124 break; | 124 break; |
125 } | 125 } |
126 | 126 |