Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2_huff_encode.c @ 6396:dcfe355dfda4
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.
Found by Coverity (CID 1352150).
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Fri, 12 Feb 2016 16:36:20 +0300 |
| parents | ba3c2ca21aa5 |
| children |
comparison
equal
deleted
inserted
replaced
| 6395:ba3c2ca21aa5 | 6396:dcfe355dfda4 |
|---|---|
| 229 hlen += sizeof(buf); | 229 hlen += sizeof(buf); |
| 230 | 230 |
| 231 buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; | 231 buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; |
| 232 } | 232 } |
| 233 | 233 |
| 234 if (pending == 0) { | |
| 235 return hlen; | |
| 236 } | |
| 237 | |
| 234 buf |= (ngx_uint_t) -1 >> pending; | 238 buf |= (ngx_uint_t) -1 >> pending; |
| 235 | 239 |
| 236 pending = ngx_align(pending, 8); | 240 pending = ngx_align(pending, 8); |
| 237 | 241 |
| 238 if (hlen + pending / 8 >= len) { | 242 if (hlen + pending / 8 >= len) { |
| 239 return 0; | 243 return 0; |
| 240 } | 244 } |
| 241 | 245 |
| 242 buf >>= sizeof(buf) * 8 - pending; | 246 buf >>= sizeof(buf) * 8 - pending; |
| 243 | 247 |
| 244 while (pending) { | 248 do { |
| 245 pending -= 8; | 249 pending -= 8; |
| 246 dst[hlen++] = (u_char) (buf >> pending); | 250 dst[hlen++] = (u_char) (buf >> pending); |
| 247 } | 251 } while (pending); |
| 248 | 252 |
| 249 return hlen; | 253 return hlen; |
| 250 } | 254 } |