diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2016-02-12 16:36:20 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2016-02-12 16:36:20 +0300 |
| commit | 822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8 (patch) | |
| tree | 6bb1c7a1402cd0c3bda32799e1d7e1dd0e6e0bf6 | |
| parent | 531e6fbfd6c785a7b42c285c12d3f0721cc989c7 (diff) | |
| download | nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.tar.gz nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.zip | |
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.
Found by Coverity (CID 1352150).
| -rw-r--r-- | src/http/v2/ngx_http_v2_huff_encode.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/http/v2/ngx_http_v2_huff_encode.c b/src/http/v2/ngx_http_v2_huff_encode.c index 16c154bdf..3f822cd0b 100644 --- a/src/http/v2/ngx_http_v2_huff_encode.c +++ b/src/http/v2/ngx_http_v2_huff_encode.c @@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower) buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; } + if (pending == 0) { + return hlen; + } + buf |= (ngx_uint_t) -1 >> pending; pending = ngx_align(pending, 8); @@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower) buf >>= sizeof(buf) * 8 - pending; - while (pending) { + do { pending -= 8; dst[hlen++] = (u_char) (buf >> pending); - } + } while (pending); return hlen; } |