From a5cfa096d26933b1789d86df8af9c12574c23cc5 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Thu, 5 Sep 2024 19:35:43 +0400
Subject: [PATCH] HTTP/3: fixed potential type overflow in string literal
 parser.

This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.
---
 src/http/v3/ngx_http_v3_parse.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c
index 436765c8a..bcbf0dbe1 100644
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@@ -623,6 +623,12 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
             }
 
             if (st->huffman) {
+                if (n > NGX_MAX_INT_T_VALUE / 8) {
+                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                                  "client sent too large field line");
+                    return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
+                }
+
                 n = n * 8 / 5;
                 st->huffstate = 0;
             }
-- 
2.47.3