Mercurial > hg > nginx

comparison src/http/ngx_http_parse.c @ 6014:e370c5fdf4c8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Overflow detection in ngx_http_parse_chunked().
author Ruslan Ermilov <ru@nginx.com>
date Tue, 17 Mar 2015 00:26:27 +0300
parents c5ec6944de98
children 302ff40c9bc9
comparison
equal deleted inserted replaced
6013:9653092a79fd 6014:e370c5fdf4c8
2153 } 2153 }
2154 2154
2155 goto invalid; 2155 goto invalid;
2156 2156
2157 case sw_chunk_size: 2157 case sw_chunk_size:
2158 if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
2159 goto invalid;
2160 }
2161
2158 if (ch >= '0' && ch <= '9') { 2162 if (ch >= '0' && ch <= '9') {
2159 ctx->size = ctx->size * 16 + (ch - '0'); 2163 ctx->size = ctx->size * 16 + (ch - '0');
2160 break; 2164 break;
2161 } 2165 }
2162 2166
2301 2305
2302 data: 2306 data:
2303 2307
2304 ctx->state = state; 2308 ctx->state = state;
2305 b->pos = pos; 2309 b->pos = pos;
2310
2311 if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
2312 goto invalid;
2313 }
2306 2314
2307 switch (state) { 2315 switch (state) {
2308 2316
2309 case sw_chunk_start: 2317 case sw_chunk_start:
2310 ctx->length = 3 /* "0" LF LF */; 2318 ctx->length = 3 /* "0" LF LF */;
2338 ctx->length = 2 /* LF LF */; 2346 ctx->length = 2 /* LF LF */;
2339 break; 2347 break;
2340 2348
2341 } 2349 }
2342 2350
2343 if (ctx->size < 0 || ctx->length < 0) {
2344 goto invalid;
2345 }
2346
2347 return rc; 2351 return rc;
2348 2352
2349 done: 2353 done:
2350 2354
2351 ctx->state = 0; 2355 ctx->state = 0;