diff options
| author | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:27 +0300 |
|---|---|---|
| committer | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:27 +0300 |
| commit | 405b7f34297989a8790943797ca61a68baacc206 (patch) | |
| tree | be7defa99df3d7af04b733b46ae01e5988e2b941 | |
| parent | dabbd1f6a63778269ae3e007fa905daa009f1d0e (diff) | |
| download | nginx-405b7f34297989a8790943797ca61a68baacc206.tar.gz nginx-405b7f34297989a8790943797ca61a68baacc206.zip | |
Overflow detection in ngx_http_parse_chunked().
| -rw-r--r-- | src/http/ngx_http_parse.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index 02b4a0fd1..8d38a1920 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -2104,6 +2104,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b, goto invalid; case sw_chunk_size: + if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) { + goto invalid; + } + if (ch >= '0' && ch <= '9') { ctx->size = ctx->size * 16 + (ch - '0'); break; @@ -2253,6 +2257,10 @@ data: ctx->state = state; b->pos = pos; + if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) { + goto invalid; + } + switch (state) { case sw_chunk_start: @@ -2289,10 +2297,6 @@ data: } - if (ctx->size < 0 || ctx->length < 0) { - goto invalid; - } - return rc; done: |