Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 6088:b5094e26e4e5 stable-1.6
Overflow detection in ngx_http_parse_chunked().
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Tue, 17 Mar 2015 00:26:27 +0300 |
parents | bd91f286ee0a |
children |
comparison
equal
deleted
inserted
replaced
6087:a77b625641c7 | 6088:b5094e26e4e5 |
---|---|
2102 } | 2102 } |
2103 | 2103 |
2104 goto invalid; | 2104 goto invalid; |
2105 | 2105 |
2106 case sw_chunk_size: | 2106 case sw_chunk_size: |
2107 if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) { | |
2108 goto invalid; | |
2109 } | |
2110 | |
2107 if (ch >= '0' && ch <= '9') { | 2111 if (ch >= '0' && ch <= '9') { |
2108 ctx->size = ctx->size * 16 + (ch - '0'); | 2112 ctx->size = ctx->size * 16 + (ch - '0'); |
2109 break; | 2113 break; |
2110 } | 2114 } |
2111 | 2115 |
2250 | 2254 |
2251 data: | 2255 data: |
2252 | 2256 |
2253 ctx->state = state; | 2257 ctx->state = state; |
2254 b->pos = pos; | 2258 b->pos = pos; |
2259 | |
2260 if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) { | |
2261 goto invalid; | |
2262 } | |
2255 | 2263 |
2256 switch (state) { | 2264 switch (state) { |
2257 | 2265 |
2258 case sw_chunk_start: | 2266 case sw_chunk_start: |
2259 ctx->length = 3 /* "0" LF LF */; | 2267 ctx->length = 3 /* "0" LF LF */; |
2287 ctx->length = 2 /* LF LF */; | 2295 ctx->length = 2 /* LF LF */; |
2288 break; | 2296 break; |
2289 | 2297 |
2290 } | 2298 } |
2291 | 2299 |
2292 if (ctx->size < 0 || ctx->length < 0) { | |
2293 goto invalid; | |
2294 } | |
2295 | |
2296 return rc; | 2300 return rc; |
2297 | 2301 |
2298 done: | 2302 done: |
2299 | 2303 |
2300 ctx->state = 0; | 2304 ctx->state = 0; |