mirror
/
nginx
mirror of https://github.com/nginx/nginx
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Overflow detection in ngx_http_parse_chunked().

This commit is contained in:
Ruslan Ermilov 2015-03-17 00:26:27 +03:00
parent dabbd1f6a6
commit 405b7f3429
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/http/ngx_http_parse.c
View File

@ -2104,6 +2104,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
goto invalid; goto invalid;
case sw_chunk_size: case sw_chunk_size:
if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
goto invalid;
}
if (ch >= '0' && ch <= '9') { if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0'); ctx->size = ctx->size * 16 + (ch - '0');
break; break;
@ -2253,6 +2257,10 @@ data:
ctx->state = state; ctx->state = state;
b->pos = pos; b->pos = pos;
if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
goto invalid;
}
switch (state) { switch (state) {
case sw_chunk_start: case sw_chunk_start:
@ -2289,10 +2297,6 @@ data:
} }
if (ctx->size < 0 || ctx->length < 0) {
goto invalid;
}
return rc; return rc;
done: done: