walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Prevent undefined behavior in decode_length

This commit is contained in:
Matt Rudary 2016-11-11 11:12:43 -05:00
parent 2b75aff32e
commit 5a81f2441f
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -32,6 +32,7 @@ Etienne Cimon
Fabian Möller Fabian Möller
Fabian Wiesel Fabian Wiesel
Gabi Davar Gabi Davar
Google Inc.
Jacob Champion Jacob Champion
Jan-E Jan-E
Janusz Dziemidowicz Janusz Dziemidowicz

5
lib/nghttp2_hd.c
View File

@ -864,6 +864,11 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
for (; in != last; ++in, shift += 7) { for (; in != last; ++in, shift += 7) {
uint32_t add = *in & 0x7f; uint32_t add = *in & 0x7f;
if (shift >= 32) {
DEBUGF("inflate: shift exponent overflow\n");
return -1;
}
if ((UINT32_MAX >> shift) < add) { if ((UINT32_MAX >> shift) < add) {
DEBUGF("inflate: integer overflow on shift\n"); DEBUGF("inflate: integer overflow on shift\n");
return -1; return -1;