diff options
| author | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:24 +0300 |
|---|---|---|
| committer | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:24 +0300 |
| commit | dabbd1f6a63778269ae3e007fa905daa009f1d0e (patch) | |
| tree | e6d0ebbeaac1fa1e084496b89e518345d2c6124c | |
| parent | 166a3a13a497c7218d052a7fae4a9a5456268575 (diff) | |
| download | nginx-dabbd1f6a63778269ae3e007fa905daa009f1d0e.tar.gz nginx-dabbd1f6a63778269ae3e007fa905daa009f1d0e.tar.bz2 | |
Overflow detection in ngx_http_range_parse().
| -rw-r--r-- | src/http/modules/ngx_http_range_filter_module.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c index 6a65e4849..bb9a42c54 100644 --- a/src/http/modules/ngx_http_range_filter_module.c +++ b/src/http/modules/ngx_http_range_filter_module.c @@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, ngx_uint_t ranges) { u_char *p; - off_t start, end, size, content_length; + off_t start, end, size, content_length, cutoff, cutlim; ngx_uint_t suffix; ngx_http_range_t *range; @@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, size = 0; content_length = r->headers_out.content_length_n; + cutoff = NGX_MAX_OFF_T_VALUE / 10; + cutlim = NGX_MAX_OFF_T_VALUE % 10; + for ( ;; ) { start = 0; end = 0; @@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, } while (*p >= '0' && *p <= '9') { + if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) { + return NGX_HTTP_RANGE_NOT_SATISFIABLE; + } + start = start * 10 + *p++ - '0'; } @@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, } while (*p >= '0' && *p <= '9') { + if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) { + return NGX_HTTP_RANGE_NOT_SATISFIABLE; + } + end = end * 10 + *p++ - '0'; } |