Overflow detection in ngx_http_parse_chunked().

author: Ruslan Ermilov <ru@nginx.com> 2015-03-17 00:26:27 +0300
committer: Ruslan Ermilov <ru@nginx.com> 2015-03-17 00:26:27 +0300
commit: 4fe0a09942f8aed90f84c77969847980e9aadd98 (patch)
tree: 3cacaf37bd9edc086c788e820ac1b7d60dcfc8a2 /src
parent: 514cdb190f63bd5a5f2de987547365855455600c (diff)
download: nginx-4fe0a09942f8aed90f84c77969847980e9aadd98.tar.gz
nginx-4fe0a09942f8aed90f84c77969847980e9aadd98.zip
1 files changed, 8 insertions, 4 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index b60f41bb6..0e0b3a237 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
             goto invalid;
 
         case sw_chunk_size:
+            if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+                goto invalid;
+            }
+
             if (ch >= '0' && ch <= '9') {
                 ctx->size = ctx->size * 16 + (ch - '0');
                 break;
@@ -2304,6 +2308,10 @@ data:
     ctx->state = state;
     b->pos = pos;
 
+    if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+        goto invalid;
+    }
+
     switch (state) {
 
     case sw_chunk_start:
@@ -2340,10 +2348,6 @@ data:
 
     }
 
-    if (ctx->size < 0 || ctx->length < 0) {
-        goto invalid;
-    }
-
     return rc;
 
 done:
author	Ruslan Ermilov <ru@nginx.com>	2015-03-17 00:26:27 +0300
committer	Ruslan Ermilov <ru@nginx.com>	2015-03-17 00:26:27 +0300
commit	4fe0a09942f8aed90f84c77969847980e9aadd98 (patch)
tree	3cacaf37bd9edc086c788e820ac1b7d60dcfc8a2 /src
parent	514cdb190f63bd5a5f2de987547365855455600c (diff)
download	nginx-4fe0a09942f8aed90f84c77969847980e9aadd98.tar.gz nginx-4fe0a09942f8aed90f84c77969847980e9aadd98.zip