HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().

When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).

diff --git a/src/http/v2/ngx_http_v2_huff_encode.c b/src/http/v2/ngx_http_v2_huff_encode.c
index 16c154bdf47ebdf97523ea95518a704a359d722e..3f822cd0b1229c9887dfa48f7bfc8522a0bc0135 100644 (file)
--- a/src/http/v2/ngx_http_v2_huff_encode.c
+++ b/src/http/v2/ngx_http_v2_huff_encode.c
@@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
         buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
     }
 
+    if (pending == 0) {
+        return hlen;
+    }
+
     buf |= (ngx_uint_t) -1 >> pending;
 
     pending = ngx_align(pending, 8);
@@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
 
     buf >>= sizeof(buf) * 8 - pending;
 
-    while (pending) {
+    do {
         pending -= 8;
         dst[hlen++] = (u_char) (buf >> pending);
-    }
+    } while (pending);
 
     return hlen;
 }