# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1426541184 -10800
# Node ID 9653092a79fd8bf27e78e0e1e4527501bf77c7fa
# Parent  550212836c8f8279d73680b3f87fb0acaf20d933
Overflow detection in ngx_http_range_parse().

diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
--- a/src/http/modules/ngx_http_range_filter_module.c
+++ b/src/http/modules/ngx_http_range_filter_module.c
@@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t 
     ngx_uint_t ranges)
 {
     u_char            *p;
-    off_t              start, end, size, content_length;
+    off_t              start, end, size, content_length, cutoff, cutlim;
     ngx_uint_t         suffix;
     ngx_http_range_t  *range;
 
@@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t 
     size = 0;
     content_length = r->headers_out.content_length_n;
 
+    cutoff = NGX_MAX_OFF_T_VALUE / 10;
+    cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
     for ( ;; ) {
         start = 0;
         end = 0;
@@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t 
             }
 
             while (*p >= '0' && *p <= '9') {
+                if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) {
+                    return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+                }
+
                 start = start * 10 + *p++ - '0';
             }
 
@@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t 
         }
 
         while (*p >= '0' && *p <= '9') {
+            if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) {
+                return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+            }
+
             end = end * 10 + *p++ - '0';
         }