diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2020-07-03 16:41:31 +0300 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2020-07-03 16:41:31 +0300 |
| commit | 3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1 (patch) | |
| tree | 4d1a345f7e788d5afb81399a933e8ba1e1a6d770 /src/http/v3/ngx_http_v3_parse.c | |
| parent | 0ebcffcf1409a03d2437ad18d65387448382620d (diff) | |
| download | nginx-3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1.tar.gz nginx-3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1.zip | |
HTTP/3: fixed overflow in prefixed integer parser.
Previously, the expression (ch & 0x7f) was promoted to a signed integer.
Depending on the platform, the size of this integer could be less than 8 bytes,
leading to overflow when handling the higher bits of the result. Also, sign
bit of this integer could be replicated when adding to the 64-bit st->value.
Diffstat (limited to 'src/http/v3/ngx_http_v3_parse.c')
| -rw-r--r-- | src/http/v3/ngx_http_v3_parse.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index da9826ced..bb8d73296 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -118,7 +118,7 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c, case sw_value: - st->value += (ch & 0x7f) << st->shift; + st->value += (uint64_t) (ch & 0x7f) << st->shift; if (ch & 0x80) { st->shift += 7; break; |