From 3b2eabde0bedc9a1a7d1b53bdbc28bdc14773dd1 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Fri, 3 Jul 2020 16:41:31 +0300 Subject: HTTP/3: fixed overflow in prefixed integer parser. Previously, the expression (ch & 0x7f) was promoted to a signed integer. Depending on the platform, the size of this integer could be less than 8 bytes, leading to overflow when handling the higher bits of the result. Also, sign bit of this integer could be replicated when adding to the 64-bit st->value. --- src/http/v3/ngx_http_v3_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index da9826ced..bb8d73296 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -118,7 +118,7 @@ ngx_http_v3_parse_prefix_int(ngx_connection_t *c, case sw_value: - st->value += (ch & 0x7f) << st->shift; + st->value += (uint64_t) (ch & 0x7f) << st->shift; if (ch & 0x80) { st->shift += 7; break; -- cgit