]> git.kaiwu.me - nginx.git/commitdiff
HTTP/3: fixed overflow in prefixed integer parser.
authorRoman Arutyunyan <arut@nginx.com>
Fri, 3 Jul 2020 13:41:31 +0000 (16:41 +0300)
committerRoman Arutyunyan <arut@nginx.com>
Fri, 3 Jul 2020 13:41:31 +0000 (16:41 +0300)
Previously, the expression (ch & 0x7f) was promoted to a signed integer.
Depending on the platform, the size of this integer could be less than 8 bytes,
leading to overflow when handling the higher bits of the result.  Also, sign
bit of this integer could be replicated when adding to the 64-bit st->value.

src/http/v3/ngx_http_v3_parse.c

index da9826ced3921cac1464ab865a7536f68c1e946f..bb8d7329678195118150a14b99ad5512b0f5281b 100644 (file)
@@ -118,7 +118,7 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c,
 
     case sw_value:
 
-        st->value += (ch & 0x7f) << st->shift;
+        st->value += (uint64_t) (ch & 0x7f) << st->shift;
         if (ch & 0x80) {
             st->shift += 7;
             break;