# HG changeset patch # User Vladimir Homutov # Date 1545731964 -10800 # Node ID a91b93f3f3e7e62fd7e3db1e149953fa0f0d5d4c # Parent e3b262e7fc883ad215056132e934c1c265da9c90 Autoindex: fixed possible integer overflow on 32-bit systems. diff --git a/src/http/modules/ngx_http_autoindex_module.c b/src/http/modules/ngx_http_autoindex_module.c --- a/src/http/modules/ngx_http_autoindex_module.c +++ b/src/http/modules/ngx_http_autoindex_module.c @@ -434,7 +434,7 @@ ngx_http_autoindex_html(ngx_http_request { u_char *last, scale; off_t length; - size_t len, char_len, escape_html; + size_t len, entry_len, char_len, escape_html; ngx_tm_t tm; ngx_buf_t *b; ngx_int_t size; @@ -499,17 +499,23 @@ ngx_http_autoindex_html(ngx_http_request entry[i].utf_len = entry[i].name.len; } - len += sizeof("") - 1 - + entry[i].name.len - entry[i].utf_len - + entry[i].escape_html - + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2 - + sizeof("") - 1 - + sizeof(" 28-Sep-1970 12:00 ") - 1 - + 20 /* the file size */ - + 2; + entry_len = sizeof("") - 1 + + entry[i].name.len - entry[i].utf_len + + entry[i].escape_html + + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2 + + sizeof("") - 1 + + sizeof(" 28-Sep-1970 12:00 ") - 1 + + 20 /* the file size */ + + 2; + + if (len > NGX_MAX_SIZE_T_VALUE - entry_len) { + return NULL; + } + + len += entry_len; } b = ngx_create_temp_buf(r->pool, len); @@ -697,7 +703,7 @@ static ngx_buf_t * ngx_http_autoindex_json(ngx_http_request_t *r, ngx_array_t *entries, ngx_str_t *callback) { - size_t len; + size_t len, entry_len; ngx_buf_t *b; ngx_uint_t i; ngx_http_autoindex_entry_t *entry; @@ -714,15 +720,21 @@ ngx_http_autoindex_json(ngx_http_request entry[i].escape = ngx_escape_json(NULL, entry[i].name.data, entry[i].name.len); - len += sizeof("{ }," CRLF) - 1 - + sizeof("\"name\":\"\"") - 1 - + entry[i].name.len + entry[i].escape - + sizeof(", \"type\":\"directory\"") - 1 - + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1; + entry_len = sizeof("{ }," CRLF) - 1 + + sizeof("\"name\":\"\"") - 1 + + entry[i].name.len + entry[i].escape + + sizeof(", \"type\":\"directory\"") - 1 + + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1; if (entry[i].file) { - len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN; + entry_len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN; } + + if (len > NGX_MAX_SIZE_T_VALUE - entry_len) { + return NULL; + } + + len += entry_len; } b = ngx_create_temp_buf(r->pool, len); @@ -841,7 +853,7 @@ ngx_http_autoindex_jsonp_callback(ngx_ht static ngx_buf_t * ngx_http_autoindex_xml(ngx_http_request_t *r, ngx_array_t *entries) { - size_t len; + size_t len, entry_len; ngx_tm_t tm; ngx_buf_t *b; ngx_str_t type; @@ -859,13 +871,19 @@ ngx_http_autoindex_xml(ngx_http_request_ entry[i].escape = ngx_escape_html(NULL, entry[i].name.data, entry[i].name.len); - len += sizeof("" CRLF) - 1 - + entry[i].name.len + entry[i].escape - + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1; + entry_len = sizeof("" CRLF) - 1 + + entry[i].name.len + entry[i].escape + + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1; if (entry[i].file) { - len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN; + entry_len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN; } + + if (len > NGX_MAX_SIZE_T_VALUE - entry_len) { + return NULL; + } + + len += entry_len; } b = ngx_create_temp_buf(r->pool, len);