Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 7067:e3723f2a11b7
Parenthesized ASCII-related calculations.
This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Mon, 17 Jul 2017 17:23:51 +0300 |
parents | f38647c651a8 |
children | f9661f56c717 |
comparison
equal
deleted
inserted
replaced
7066:a27e0c7e198c | 7067:e3723f2a11b7 |
---|---|
740 | 740 |
741 if (ch < '0' || ch > '9') { | 741 if (ch < '0' || ch > '9') { |
742 return NGX_HTTP_PARSE_INVALID_REQUEST; | 742 return NGX_HTTP_PARSE_INVALID_REQUEST; |
743 } | 743 } |
744 | 744 |
745 r->http_major = r->http_major * 10 + ch - '0'; | 745 r->http_major = r->http_major * 10 + (ch - '0'); |
746 | 746 |
747 if (r->http_major > 1) { | 747 if (r->http_major > 1) { |
748 return NGX_HTTP_PARSE_INVALID_VERSION; | 748 return NGX_HTTP_PARSE_INVALID_VERSION; |
749 } | 749 } |
750 | 750 |
782 | 782 |
783 if (r->http_minor > 99) { | 783 if (r->http_minor > 99) { |
784 return NGX_HTTP_PARSE_INVALID_REQUEST; | 784 return NGX_HTTP_PARSE_INVALID_REQUEST; |
785 } | 785 } |
786 | 786 |
787 r->http_minor = r->http_minor * 10 + ch - '0'; | 787 r->http_minor = r->http_minor * 10 + (ch - '0'); |
788 break; | 788 break; |
789 | 789 |
790 case sw_spaces_after_digit: | 790 case sw_spaces_after_digit: |
791 switch (ch) { | 791 switch (ch) { |
792 case ' ': | 792 case ' ': |
1516 | 1516 |
1517 return NGX_HTTP_PARSE_INVALID_REQUEST; | 1517 return NGX_HTTP_PARSE_INVALID_REQUEST; |
1518 | 1518 |
1519 case sw_quoted_second: | 1519 case sw_quoted_second: |
1520 if (ch >= '0' && ch <= '9') { | 1520 if (ch >= '0' && ch <= '9') { |
1521 ch = (u_char) ((decoded << 4) + ch - '0'); | 1521 ch = (u_char) ((decoded << 4) + (ch - '0')); |
1522 | 1522 |
1523 if (ch == '%' || ch == '#') { | 1523 if (ch == '%' || ch == '#') { |
1524 state = sw_usual; | 1524 state = sw_usual; |
1525 *u++ = ch; | 1525 *u++ = ch; |
1526 ch = *p++; | 1526 ch = *p++; |
1534 break; | 1534 break; |
1535 } | 1535 } |
1536 | 1536 |
1537 c = (u_char) (ch | 0x20); | 1537 c = (u_char) (ch | 0x20); |
1538 if (c >= 'a' && c <= 'f') { | 1538 if (c >= 'a' && c <= 'f') { |
1539 ch = (u_char) ((decoded << 4) + c - 'a' + 10); | 1539 ch = (u_char) ((decoded << 4) + (c - 'a') + 10); |
1540 | 1540 |
1541 if (ch == '?') { | 1541 if (ch == '?') { |
1542 state = sw_usual; | 1542 state = sw_usual; |
1543 *u++ = ch; | 1543 *u++ = ch; |
1544 ch = *p++; | 1544 ch = *p++; |
1699 | 1699 |
1700 if (r->http_major > 99) { | 1700 if (r->http_major > 99) { |
1701 return NGX_ERROR; | 1701 return NGX_ERROR; |
1702 } | 1702 } |
1703 | 1703 |
1704 r->http_major = r->http_major * 10 + ch - '0'; | 1704 r->http_major = r->http_major * 10 + (ch - '0'); |
1705 break; | 1705 break; |
1706 | 1706 |
1707 /* the first digit of minor HTTP version */ | 1707 /* the first digit of minor HTTP version */ |
1708 case sw_first_minor_digit: | 1708 case sw_first_minor_digit: |
1709 if (ch < '0' || ch > '9') { | 1709 if (ch < '0' || ch > '9') { |
1727 | 1727 |
1728 if (r->http_minor > 99) { | 1728 if (r->http_minor > 99) { |
1729 return NGX_ERROR; | 1729 return NGX_ERROR; |
1730 } | 1730 } |
1731 | 1731 |
1732 r->http_minor = r->http_minor * 10 + ch - '0'; | 1732 r->http_minor = r->http_minor * 10 + (ch - '0'); |
1733 break; | 1733 break; |
1734 | 1734 |
1735 /* HTTP status code */ | 1735 /* HTTP status code */ |
1736 case sw_status: | 1736 case sw_status: |
1737 if (ch == ' ') { | 1737 if (ch == ' ') { |
1740 | 1740 |
1741 if (ch < '0' || ch > '9') { | 1741 if (ch < '0' || ch > '9') { |
1742 return NGX_ERROR; | 1742 return NGX_ERROR; |
1743 } | 1743 } |
1744 | 1744 |
1745 status->code = status->code * 10 + ch - '0'; | 1745 status->code = status->code * 10 + (ch - '0'); |
1746 | 1746 |
1747 if (++status->count == 3) { | 1747 if (++status->count == 3) { |
1748 state = sw_space_after_status; | 1748 state = sw_space_after_status; |
1749 status->start = p - 2; | 1749 status->start = p - 2; |
1750 } | 1750 } |