mirror of
https://github.com/nginx/nginx.git
synced 2024-12-22 15:13:28 -06:00
Overflow detection in ngx_http_parse_chunked().
This commit is contained in:
parent
514cdb190f
commit
4fe0a09942
@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
|
||||
goto invalid;
|
||||
|
||||
case sw_chunk_size:
|
||||
if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
|
||||
goto invalid;
|
||||
}
|
||||
|
||||
if (ch >= '0' && ch <= '9') {
|
||||
ctx->size = ctx->size * 16 + (ch - '0');
|
||||
break;
|
||||
@ -2304,6 +2308,10 @@ data:
|
||||
ctx->state = state;
|
||||
b->pos = pos;
|
||||
|
||||
if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
|
||||
goto invalid;
|
||||
}
|
||||
|
||||
switch (state) {
|
||||
|
||||
case sw_chunk_start:
|
||||
@ -2340,10 +2348,6 @@ data:
|
||||
|
||||
}
|
||||
|
||||
if (ctx->size < 0 || ctx->length < 0) {
|
||||
goto invalid;
|
||||
}
|
||||
|
||||
return rc;
|
||||
|
||||
done:
|
||||
|
Loading…
Reference in New Issue
Block a user