From: Valentin Bartenev <vbart@nginx.com>
Date: Thu, 4 Feb 2016 15:01:04 +0000 (+0300)
Subject: HTTP/2: fixed possible buffer overrun (ticket #893).
X-Git-Tag: release-1.9.11~10
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=9add42c71e71c2af8e67eceeeb773d22a9cab760;p=nginx.git

HTTP/2: fixed possible buffer overrun (ticket #893).

Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.
---

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index ed30fe566..ea5897945 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -215,8 +215,8 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (r->headers_out.server == NULL) {
-        len += 1 + clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
-                                       : ngx_http_v2_literal_size("nginx");
+        len += 1 + (clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
+                                        : ngx_http_v2_literal_size("nginx"));
     }
 
     if (r->headers_out.date == NULL) {