Mercurial > hg > nginx
comparison src/http/modules/ngx_http_range_filter_module.c @ 6087:a77b625641c7 stable-1.6
Overflow detection in ngx_http_range_parse().
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Tue, 17 Mar 2015 00:26:24 +0300 |
| parents | 345e4fd4bb64 |
| children | 8b6fa4842133 |
comparison
equal
deleted
inserted
replaced
| 6086:b2a2475b2008 | 6087:a77b625641c7 |
|---|---|
| 272 static ngx_int_t | 272 static ngx_int_t |
| 273 ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, | 273 ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, |
| 274 ngx_uint_t ranges) | 274 ngx_uint_t ranges) |
| 275 { | 275 { |
| 276 u_char *p; | 276 u_char *p; |
| 277 off_t start, end, size, content_length; | 277 off_t start, end, size, content_length, cutoff, cutlim; |
| 278 ngx_uint_t suffix; | 278 ngx_uint_t suffix; |
| 279 ngx_http_range_t *range; | 279 ngx_http_range_t *range; |
| 280 | 280 |
| 281 p = r->headers_in.range->value.data + 6; | 281 p = r->headers_in.range->value.data + 6; |
| 282 size = 0; | 282 size = 0; |
| 283 content_length = r->headers_out.content_length_n; | 283 content_length = r->headers_out.content_length_n; |
| 284 | |
| 285 cutoff = NGX_MAX_OFF_T_VALUE / 10; | |
| 286 cutlim = NGX_MAX_OFF_T_VALUE % 10; | |
| 284 | 287 |
| 285 for ( ;; ) { | 288 for ( ;; ) { |
| 286 start = 0; | 289 start = 0; |
| 287 end = 0; | 290 end = 0; |
| 288 suffix = 0; | 291 suffix = 0; |
| 293 if (*p < '0' || *p > '9') { | 296 if (*p < '0' || *p > '9') { |
| 294 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | 297 return NGX_HTTP_RANGE_NOT_SATISFIABLE; |
| 295 } | 298 } |
| 296 | 299 |
| 297 while (*p >= '0' && *p <= '9') { | 300 while (*p >= '0' && *p <= '9') { |
| 301 if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) { | |
| 302 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | |
| 303 } | |
| 304 | |
| 298 start = start * 10 + *p++ - '0'; | 305 start = start * 10 + *p++ - '0'; |
| 299 } | 306 } |
| 300 | 307 |
| 301 while (*p == ' ') { p++; } | 308 while (*p == ' ') { p++; } |
| 302 | 309 |
| 319 if (*p < '0' || *p > '9') { | 326 if (*p < '0' || *p > '9') { |
| 320 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | 327 return NGX_HTTP_RANGE_NOT_SATISFIABLE; |
| 321 } | 328 } |
| 322 | 329 |
| 323 while (*p >= '0' && *p <= '9') { | 330 while (*p >= '0' && *p <= '9') { |
| 331 if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) { | |
| 332 return NGX_HTTP_RANGE_NOT_SATISFIABLE; | |
| 333 } | |
| 334 | |
| 324 end = end * 10 + *p++ - '0'; | 335 end = end * 10 + *p++ - '0'; |
| 325 } | 336 } |
| 326 | 337 |
| 327 while (*p == ' ') { p++; } | 338 while (*p == ' ') { p++; } |
| 328 | 339 |