From 4fe0a09942f8aed90f84c77969847980e9aadd98 Mon Sep 17 00:00:00 2001 From: Ruslan Ermilov Date: Tue, 17 Mar 2015 00:26:27 +0300 Subject: [PATCH] Overflow detection in ngx_http_parse_chunked(). --- src/http/ngx_http_parse.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index b60f41bb6..0e0b3a237 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b, goto invalid; case sw_chunk_size: + if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) { + goto invalid; + } + if (ch >= '0' && ch <= '9') { ctx->size = ctx->size * 16 + (ch - '0'); break; @@ -2304,6 +2308,10 @@ data: ctx->state = state; b->pos = pos; + if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) { + goto invalid; + } + switch (state) { case sw_chunk_start: @@ -2340,10 +2348,6 @@ data: } - if (ctx->size < 0 || ctx->length < 0) { - goto invalid; - } - return rc; done: