Mercurial > hg > nginx

changeset 8463:2576485b93d4 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/3: fixed overflow in prefixed integer parser. Previously, the expression (ch & 0x7f) was promoted to a signed integer. Depending on the platform, the size of this integer could be less than 8 bytes, leading to overflow when handling the higher bits of the result. Also, sign bit of this integer could be replicated when adding to the 64-bit st->value.
author Roman Arutyunyan <arut@nginx.com>
date Fri, 03 Jul 2020 16:41:31 +0300
parents 153bffee3d7e
children fdb8edc8e496
files src/http/v3/ngx_http_v3_parse.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -118,7 +118,7 @@ ngx_http_v3_parse_prefix_int(ngx_connect
 
     case sw_value:
 
-        st->value += (ch & 0x7f) << st->shift;
+        st->value += (uint64_t) (ch & 0x7f) << st->shift;
         if (ch & 0x80) {
             st->shift += 7;
             break;