From: Roman Arutyunyan Date: Fri, 3 Jul 2020 13:41:31 +0000 (+0300) Subject: HTTP/3: fixed overflow in prefixed integer parser. X-Git-Tag: release-1.25.0~4^2~646 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1;p=nginx.git HTTP/3: fixed overflow in prefixed integer parser. Previously, the expression (ch & 0x7f) was promoted to a signed integer. Depending on the platform, the size of this integer could be less than 8 bytes, leading to overflow when handling the higher bits of the result. Also, sign bit of this integer could be replicated when adding to the 64-bit st->value. --- diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index da9826ced..bb8d73296 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -118,7 +118,7 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c, case sw_value: - st->value += (ch & 0x7f) << st->shift; + st->value += (uint64_t) (ch & 0x7f) << st->shift; if (ch & 0x80) { st->shift += 7; break;