Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_range_filter_module.c @ 6013:9653092a79fd
Overflow detection in ngx_http_range_parse().
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Tue, 17 Mar 2015 00:26:24 +0300 |
parents | 345e4fd4bb64 |
children | 8b6fa4842133 |
comparison
equal
deleted
inserted
replaced
6012:550212836c8f | 6013:9653092a79fd |
---|---|
272 static ngx_int_t | 272 static ngx_int_t |
273 ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, | 273 ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, |
274 ngx_uint_t ranges) | 274 ngx_uint_t ranges) |
275 { | 275 { |
276 u_char *p; | 276 u_char *p; |
277 off_t start, end, size, content_length; | 277 off_t start, end, size, content_length, cutoff, cutlim; |
278 ngx_uint_t suffix; | 278 ngx_uint_t suffix; |
279 ngx_http_range_t *range; | 279 ngx_http_range_t *range; |
280 | 280 |
281 p = r->headers_in.range->value.data + 6; | 281 p = r->headers_in.range->value.data + 6; |
282 size = 0; | 282 size = 0; |
283 content_length = r->headers_out.content_length_n; | 283 content_length = r->headers_out.content_length_n; |
284 | |
285 cutoff = NGX_MAX_OFF_T_VALUE / 10; | |
286 cutlim = NGX_MAX_OFF_T_VALUE % 10; | |
284 | 287 |
285 for ( ;; ) { | 288 for ( ;; ) { |
286 start = 0; | 289 start = 0; |
287 end = 0; | 290 end = 0; |
288 suffix = 0; | 291 suffix = 0; |
293 if (*p < '0' || *p > '9') { | 296 if (*p < '0' || *p > '9') { |
294 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | 297 return NGX_HTTP_RANGE_NOT_SATISFIABLE; |
295 } | 298 } |
296 | 299 |
297 while (*p >= '0' && *p <= '9') { | 300 while (*p >= '0' && *p <= '9') { |
301 if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) { | |
302 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | |
303 } | |
304 | |
298 start = start * 10 + *p++ - '0'; | 305 start = start * 10 + *p++ - '0'; |
299 } | 306 } |
300 | 307 |
301 while (*p == ' ') { p++; } | 308 while (*p == ' ') { p++; } |
302 | 309 |
319 if (*p < '0' || *p > '9') { | 326 if (*p < '0' || *p > '9') { |
320 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | 327 return NGX_HTTP_RANGE_NOT_SATISFIABLE; |
321 } | 328 } |
322 | 329 |
323 while (*p >= '0' && *p <= '9') { | 330 while (*p >= '0' && *p <= '9') { |
331 if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) { | |
332 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | |
333 } | |
334 | |
324 end = end * 10 + *p++ - '0'; | 335 end = end * 10 + *p++ - '0'; |
325 } | 336 } |
326 | 337 |
327 while (*p == ' ') { p++; } | 338 while (*p == ' ') { p++; } |
328 | 339 |