Prevent undefined behavior in decode_length

2016-11-11 11:12:43 -05:00 · 2016-11-11 11:12:43 -05:00 · 5a81f2441f
parent 2b75aff32e
commit 5a81f2441f
2 changed files with 6 additions and 0 deletions
--- a/1
+++ b/1
@ -32,6 +32,7 @@ Etienne Cimon
 Fabian Möller
 Fabian Wiesel
 Gabi Davar
+Google Inc.
 Jacob Champion
 Jan-E
 Janusz Dziemidowicz
--- a/lib/nghttp2_hd.c
+++ b/lib/nghttp2_hd.c
@ -864,6 +864,11 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
  for (; in != last; ++in, shift += 7) {
    uint32_t add = *in & 0x7f;

+    if (shift >= 32) {
+      DEBUGF("inflate: shift exponent overflow\n");
+      return -1;
+    }
+
    if ((UINT32_MAX >> shift) < add) {
      DEBUGF("inflate: integer overflow on shift\n");
      return -1;