# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1353952868 0
# Node ID 240e3fb392c9eb3554df2f864541e86b0177792f
# Parent  7bd1c839af3b83a16df0cd5c47fd4b9a505aad9e
Request body: error checking fixes, negative rb->rest handling.

Negative rb->rest can't happen with current code, but it's good to have
it handled anyway.

Found by Coverity (CID 744846, 744847, 744848).

diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -134,6 +134,13 @@ ngx_http_read_client_request_body(ngx_ht
         return NGX_OK;
     }
 
+    if (rb->rest < 0) {
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                      "negative request body rest");
+        rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+        goto done;
+    }
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     size = clcf->client_body_buffer_size;
@@ -643,7 +650,7 @@ ngx_http_discard_request_body_filter(ngx
             }
 
             rb->chunked = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_t));
-            if (rb == NULL) {
+            if (rb->chunked == NULL) {
                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
             }
 
@@ -1022,7 +1029,9 @@ ngx_http_request_body_save_filter(ngx_ht
 
     /* TODO: coalesce neighbouring buffers */
 
-    ngx_chain_add_copy(r->pool, &rb->bufs, in);
+    if (ngx_chain_add_copy(r->pool, &rb->bufs, in) != NGX_OK) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     return NGX_OK;
 }