Mercurial > hg > nginx-quic
comparison src/http/ngx_http_parse.c @ 6088:b5094e26e4e5 stable-1.6
Overflow detection in ngx_http_parse_chunked().
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Tue, 17 Mar 2015 00:26:27 +0300 |
| parents | bd91f286ee0a |
| children |
comparison
equal
deleted
inserted
replaced
| 6087:a77b625641c7 | 6088:b5094e26e4e5 |
|---|---|
| 2102 } | 2102 } |
| 2103 | 2103 |
| 2104 goto invalid; | 2104 goto invalid; |
| 2105 | 2105 |
| 2106 case sw_chunk_size: | 2106 case sw_chunk_size: |
| 2107 if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) { | |
| 2108 goto invalid; | |
| 2109 } | |
| 2110 | |
| 2107 if (ch >= '0' && ch <= '9') { | 2111 if (ch >= '0' && ch <= '9') { |
| 2108 ctx->size = ctx->size * 16 + (ch - '0'); | 2112 ctx->size = ctx->size * 16 + (ch - '0'); |
| 2109 break; | 2113 break; |
| 2110 } | 2114 } |
| 2111 | 2115 |
| 2250 | 2254 |
| 2251 data: | 2255 data: |
| 2252 | 2256 |
| 2253 ctx->state = state; | 2257 ctx->state = state; |
| 2254 b->pos = pos; | 2258 b->pos = pos; |
| 2259 | |
| 2260 if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) { | |
| 2261 goto invalid; | |
| 2262 } | |
| 2255 | 2263 |
| 2256 switch (state) { | 2264 switch (state) { |
| 2257 | 2265 |
| 2258 case sw_chunk_start: | 2266 case sw_chunk_start: |
| 2259 ctx->length = 3 /* "0" LF LF */; | 2267 ctx->length = 3 /* "0" LF LF */; |
| 2287 ctx->length = 2 /* LF LF */; | 2295 ctx->length = 2 /* LF LF */; |
| 2288 break; | 2296 break; |
| 2289 | 2297 |
| 2290 } | 2298 } |
| 2291 | 2299 |
| 2292 if (ctx->size < 0 || ctx->length < 0) { | |
| 2293 goto invalid; | |
| 2294 } | |
| 2295 | |
| 2296 return rc; | 2300 return rc; |
| 2297 | 2301 |
| 2298 done: | 2302 done: |
| 2299 | 2303 |
| 2300 ctx->state = 0; | 2304 ctx->state = 0; |