Mercurial > hg > nginx-quic
comparison src/http/ngx_http_parse.c @ 6014:e370c5fdf4c8
Overflow detection in ngx_http_parse_chunked().
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Tue, 17 Mar 2015 00:26:27 +0300 |
parents | c5ec6944de98 |
children | 302ff40c9bc9 |
comparison
equal
deleted
inserted
replaced
6013:9653092a79fd | 6014:e370c5fdf4c8 |
---|---|
2153 } | 2153 } |
2154 | 2154 |
2155 goto invalid; | 2155 goto invalid; |
2156 | 2156 |
2157 case sw_chunk_size: | 2157 case sw_chunk_size: |
2158 if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) { | |
2159 goto invalid; | |
2160 } | |
2161 | |
2158 if (ch >= '0' && ch <= '9') { | 2162 if (ch >= '0' && ch <= '9') { |
2159 ctx->size = ctx->size * 16 + (ch - '0'); | 2163 ctx->size = ctx->size * 16 + (ch - '0'); |
2160 break; | 2164 break; |
2161 } | 2165 } |
2162 | 2166 |
2301 | 2305 |
2302 data: | 2306 data: |
2303 | 2307 |
2304 ctx->state = state; | 2308 ctx->state = state; |
2305 b->pos = pos; | 2309 b->pos = pos; |
2310 | |
2311 if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) { | |
2312 goto invalid; | |
2313 } | |
2306 | 2314 |
2307 switch (state) { | 2315 switch (state) { |
2308 | 2316 |
2309 case sw_chunk_start: | 2317 case sw_chunk_start: |
2310 ctx->length = 3 /* "0" LF LF */; | 2318 ctx->length = 3 /* "0" LF LF */; |
2338 ctx->length = 2 /* LF LF */; | 2346 ctx->length = 2 /* LF LF */; |
2339 break; | 2347 break; |
2340 | 2348 |
2341 } | 2349 } |
2342 | 2350 |
2343 if (ctx->size < 0 || ctx->length < 0) { | |
2344 goto invalid; | |
2345 } | |
2346 | |
2347 return rc; | 2351 return rc; |
2348 | 2352 |
2349 done: | 2353 done: |
2350 | 2354 |
2351 ctx->state = 0; | 2355 ctx->state = 0; |