Mercurial > hg > nginx

changeset 6396:dcfe355dfda4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode(). When the "pending" value is zero, the "buf" will be right shifted by the width of its type, which results in undefined behavior. Found by Coverity (CID 1352150).
author Valentin Bartenev <vbart@nginx.com>
date Fri, 12 Feb 2016 16:36:20 +0300
parents ba3c2ca21aa5
children 78f8ac479735
files src/http/v2/ngx_http_v2_huff_encode.c
diffstat 1 files changed, 6 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2_huff_encode.c
+++ b/src/http/v2/ngx_http_v2_huff_encode.c
@@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, siz
         buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
     }
 
+    if (pending == 0) {
+        return hlen;
+    }
+
     buf |= (ngx_uint_t) -1 >> pending;
 
     pending = ngx_align(pending, 8);
@@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, siz
 
     buf >>= sizeof(buf) * 8 - pending;
 
-    while (pending) {
+    do {
         pending -= 8;
         dst[hlen++] = (u_char) (buf >> pending);
-    }
+    } while (pending);
 
     return hlen;
 }