From: Valentin Bartenev Date: Fri, 12 Feb 2016 13:36:20 +0000 (+0300) Subject: HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode(). X-Git-Tag: release-1.9.12~17 X-Git-Url: http://git.kaiwu.me/sitemap.xml?a=commitdiff_plain;h=822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8;p=nginx.git HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode(). When the "pending" value is zero, the "buf" will be right shifted by the width of its type, which results in undefined behavior. Found by Coverity (CID 1352150). --- diff --git a/src/http/v2/ngx_http_v2_huff_encode.c b/src/http/v2/ngx_http_v2_huff_encode.c index 16c154bdf..3f822cd0b 100644 --- a/src/http/v2/ngx_http_v2_huff_encode.c +++ b/src/http/v2/ngx_http_v2_huff_encode.c @@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower) buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; } + if (pending == 0) { + return hlen; + } + buf |= (ngx_uint_t) -1 >> pending; pending = ngx_align(pending, 8); @@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower) buf >>= sizeof(buf) * 8 - pending; - while (pending) { + do { pending -= 8; dst[hlen++] = (u_char) (buf >> pending); - } + } while (pending); return hlen; }