# HG changeset patch # User Sergey Kandaurov # Date 1467914601 -10800 # Node ID ad736705a7442b4a39a4974c51b5456510a5f1b0 # Parent b3682580c1bddc200f6c31cf085a2b42884edc4b HTTP/2: avoid left-shifting signed integer into the sign bit. On non-aligned platforms, properly cast argument before left-shifting it in ngx_http_v2_parse_uint32 that is used with u_char. Otherwise it propagates to int to hold the value and can step over the sign bit. Usually, on known compilers, this results in negation. Furthermore, a subsequent store into a wider type, that is ngx_uint_t on 64-bit platforms, results in sign-extension. In practice, this can be observed in debug log as a very large exclusive bit value, when client sent PRIORITY frame with exclusive bit set: : *14 http2 PRIORITY frame sid:5 on 1 excl:8589934591 weight:17 Found with UndefinedBehaviorSanitizer. diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -298,7 +298,7 @@ size_t ngx_http_v2_huff_encode(u_char *s #define ngx_http_v2_parse_uint16(p) ((p)[0] << 8 | (p)[1]) #define ngx_http_v2_parse_uint32(p) \ - ((p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3]) + ((uint32_t) (p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3]) #endif