# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1426541184 -10800
# Node ID a77b625641c70ff303bc68286334453ed9f88764
# Parent  b2a2475b20087cd1027f1e3ea8c10f4359eb5e0b
Overflow detection in ngx_http_range_parse().

diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
--- a/src/http/modules/ngx_http_range_filter_module.c
+++ b/src/http/modules/ngx_http_range_filter_module.c
@@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t 
     ngx_uint_t ranges)
 {
     u_char            *p;
-    off_t              start, end, size, content_length;
+    off_t              start, end, size, content_length, cutoff, cutlim;
     ngx_uint_t         suffix;
     ngx_http_range_t  *range;
 
@@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t 
     size = 0;
     content_length = r->headers_out.content_length_n;
 
+    cutoff = NGX_MAX_OFF_T_VALUE / 10;
+    cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
     for ( ;; ) {
         start = 0;
         end = 0;
@@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t 
             }
 
             while (*p >= '0' && *p <= '9') {
+                if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) {
+                    return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+                }
+
                 start = start * 10 + *p++ - '0';
             }
 
@@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t 
         }
 
         while (*p >= '0' && *p <= '9') {
+            if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) {
+                return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+            }
+
             end = end * 10 + *p++ - '0';
         }