Mercurial > hg > nginx

comparison src/http/ngx_http_parse.c @ 7067:e3723f2a11b7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Parenthesized ASCII-related calculations. This also fixes potential undefined behaviour in the range and slice filter modules, caused by local overflows of signed integers in expressions.
author Valentin Bartenev <vbart@nginx.com>
date Mon, 17 Jul 2017 17:23:51 +0300
parents f38647c651a8
children f9661f56c717
comparison
equal deleted inserted replaced
7066:a27e0c7e198c 7067:e3723f2a11b7
740 740
741 if (ch < '0' || ch > '9') { 741 if (ch < '0' || ch > '9') {
742 return NGX_HTTP_PARSE_INVALID_REQUEST; 742 return NGX_HTTP_PARSE_INVALID_REQUEST;
743 } 743 }
744 744
745 r->http_major = r->http_major * 10 + ch - '0'; 745 r->http_major = r->http_major * 10 + (ch - '0');
746 746
747 if (r->http_major > 1) { 747 if (r->http_major > 1) {
748 return NGX_HTTP_PARSE_INVALID_VERSION; 748 return NGX_HTTP_PARSE_INVALID_VERSION;
749 } 749 }
750 750
782 782
783 if (r->http_minor > 99) { 783 if (r->http_minor > 99) {
784 return NGX_HTTP_PARSE_INVALID_REQUEST; 784 return NGX_HTTP_PARSE_INVALID_REQUEST;
785 } 785 }
786 786
787 r->http_minor = r->http_minor * 10 + ch - '0'; 787 r->http_minor = r->http_minor * 10 + (ch - '0');
788 break; 788 break;
789 789
790 case sw_spaces_after_digit: 790 case sw_spaces_after_digit:
791 switch (ch) { 791 switch (ch) {
792 case ' ': 792 case ' ':
1516 1516
1517 return NGX_HTTP_PARSE_INVALID_REQUEST; 1517 return NGX_HTTP_PARSE_INVALID_REQUEST;
1518 1518
1519 case sw_quoted_second: 1519 case sw_quoted_second:
1520 if (ch >= '0' && ch <= '9') { 1520 if (ch >= '0' && ch <= '9') {
1521 ch = (u_char) ((decoded << 4) + ch - '0'); 1521 ch = (u_char) ((decoded << 4) + (ch - '0'));
1522 1522
1523 if (ch == '%' || ch == '#') { 1523 if (ch == '%' || ch == '#') {
1524 state = sw_usual; 1524 state = sw_usual;
1525 *u++ = ch; 1525 *u++ = ch;
1526 ch = *p++; 1526 ch = *p++;
1534 break; 1534 break;
1535 } 1535 }
1536 1536
1537 c = (u_char) (ch | 0x20); 1537 c = (u_char) (ch | 0x20);
1538 if (c >= 'a' && c <= 'f') { 1538 if (c >= 'a' && c <= 'f') {
1539 ch = (u_char) ((decoded << 4) + c - 'a' + 10); 1539 ch = (u_char) ((decoded << 4) + (c - 'a') + 10);
1540 1540
1541 if (ch == '?') { 1541 if (ch == '?') {
1542 state = sw_usual; 1542 state = sw_usual;
1543 *u++ = ch; 1543 *u++ = ch;
1544 ch = *p++; 1544 ch = *p++;
1699 1699
1700 if (r->http_major > 99) { 1700 if (r->http_major > 99) {
1701 return NGX_ERROR; 1701 return NGX_ERROR;
1702 } 1702 }
1703 1703
1704 r->http_major = r->http_major * 10 + ch - '0'; 1704 r->http_major = r->http_major * 10 + (ch - '0');
1705 break; 1705 break;
1706 1706
1707 /* the first digit of minor HTTP version */ 1707 /* the first digit of minor HTTP version */
1708 case sw_first_minor_digit: 1708 case sw_first_minor_digit:
1709 if (ch < '0' || ch > '9') { 1709 if (ch < '0' || ch > '9') {
1727 1727
1728 if (r->http_minor > 99) { 1728 if (r->http_minor > 99) {
1729 return NGX_ERROR; 1729 return NGX_ERROR;
1730 } 1730 }
1731 1731
1732 r->http_minor = r->http_minor * 10 + ch - '0'; 1732 r->http_minor = r->http_minor * 10 + (ch - '0');
1733 break; 1733 break;
1734 1734
1735 /* HTTP status code */ 1735 /* HTTP status code */
1736 case sw_status: 1736 case sw_status:
1737 if (ch == ' ') { 1737 if (ch == ' ') {
1740 1740
1741 if (ch < '0' || ch > '9') { 1741 if (ch < '0' || ch > '9') {
1742 return NGX_ERROR; 1742 return NGX_ERROR;
1743 } 1743 }
1744 1744
1745 status->code = status->code * 10 + ch - '0'; 1745 status->code = status->code * 10 + (ch - '0');
1746 1746
1747 if (++status->count == 3) { 1747 if (++status->count == 3) {
1748 state = sw_space_after_status; 1748 state = sw_space_after_status;
1749 status->start = p - 2; 1749 status->start = p - 2;
1750 } 1750 }