HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().

When the "pending" value is zero, the "buf" will be right shifted by the width of its type, which results in undefined behavior. Found by Coverity (CID 1352150).
author: Valentin Bartenev <vbart@nginx.com> 2016-02-12 16:36:20 +0300
committer: Valentin Bartenev <vbart@nginx.com> 2016-02-12 16:36:20 +0300
commit: 822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8 (patch)
tree: 6bb1c7a1402cd0c3bda32799e1d7e1dd0e6e0bf6 /src/http/v2/ngx_http_v2_huff_encode.c
parent: 531e6fbfd6c785a7b42c285c12d3f0721cc989c7 (diff)
download: nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.tar.gz
nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/src/http/v2/ngx_http_v2_huff_encode.c b/src/http/v2/ngx_http_v2_huff_encode.c
index 16c154bdf..3f822cd0b 100644
--- a/src/http/v2/ngx_http_v2_huff_encode.c
+++ b/src/http/v2/ngx_http_v2_huff_encode.c
@@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
         buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
     }
 
+    if (pending == 0) {
+        return hlen;
+    }
+
     buf |= (ngx_uint_t) -1 >> pending;
 
     pending = ngx_align(pending, 8);
@@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
 
     buf >>= sizeof(buf) * 8 - pending;
 
-    while (pending) {
+    do {
         pending -= 8;
         dst[hlen++] = (u_char) (buf >> pending);
-    }
+    } while (pending);
 
     return hlen;
 }
author	Valentin Bartenev <vbart@nginx.com>	2016-02-12 16:36:20 +0300
committer	Valentin Bartenev <vbart@nginx.com>	2016-02-12 16:36:20 +0300
commit	822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8 (patch)
tree	6bb1c7a1402cd0c3bda32799e1d7e1dd0e6e0bf6 /src/http/v2/ngx_http_v2_huff_encode.c
parent	531e6fbfd6c785a7b42c285c12d3f0721cc989c7 (diff)
download	nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.tar.gz nginx-822fc91b093b85a94ca54fc8c7e2d85fc5a4daf8.zip