IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-20 14:13:33 -06:00
Code Issues Packages Projects Releases Wiki Activity

Overflow detection in ngx_http_range_parse().

Browse Source
This commit is contained in:
Ruslan Ermilov 2015-03-17 00:26:24 +03:00
parent a43f1bcf6e
commit 514cdb190f
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/http/modules/ngx_http_range_filter_module.c
View File

@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
ngx_uint_t ranges) ngx_uint_t ranges)
{ {
u_char *p; u_char *p;
off_t start, end, size, content_length; off_t start, end, size, content_length, cutoff, cutlim;
ngx_uint_t suffix; ngx_uint_t suffix;
ngx_http_range_t *range; ngx_http_range_t *range;
@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
size = 0; size = 0;
content_length = r->headers_out.content_length_n; content_length = r->headers_out.content_length_n;
cutoff = NGX_MAX_OFF_T_VALUE / 10;
cutlim = NGX_MAX_OFF_T_VALUE % 10;
for ( ;; ) { for ( ;; ) {
start = 0; start = 0;
end = 0; end = 0;
@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
} }
while (*p >= '0' && *p <= '9') { while (*p >= '0' && *p <= '9') {
if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) {
return NGX_HTTP_RANGE_NOT_SATISFIABLE;
}
start = start * 10 + *p++ - '0'; start = start * 10 + *p++ - '0';
} }
@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
} }
while (*p >= '0' && *p <= '9') { while (*p >= '0' && *p <= '9') {
if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) {
return NGX_HTTP_RANGE_NOT_SATISFIABLE;
}
end = end * 10 + *p++ - '0'; end = end * 10 + *p++ - '0';
} }