From: Ruslan Ermilov <ru@nginx.com>
Date: Mon, 16 Mar 2015 21:26:27 +0000 (+0300)
Subject: Overflow detection in ngx_http_parse_chunked().
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=4fe0a09942f8aed90f84c77969847980e9aadd98;p=nginx.git

Overflow detection in ngx_http_parse_chunked().
---

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index b60f41bb6..0e0b3a237 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
             goto invalid;
 
         case sw_chunk_size:
+            if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+                goto invalid;
+            }
+
             if (ch >= '0' && ch <= '9') {
                 ctx->size = ctx->size * 16 + (ch - '0');
                 break;
@@ -2304,6 +2308,10 @@ data:
     ctx->state = state;
     b->pos = pos;
 
+    if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+        goto invalid;
+    }
+
     switch (state) {
 
     case sw_chunk_start:
@@ -2340,10 +2348,6 @@ data:
 
     }
 
-    if (ctx->size < 0 || ctx->length < 0) {
-        goto invalid;
-    }
-
     return rc;
 
 done: