diff options
| author | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:15 +0300 |
|---|---|---|
| committer | Ruslan Ermilov <ru@nginx.com> | 2015-03-17 00:26:15 +0300 |
| commit | 8167ce853792ba9d78af8345c734d0379da22a9c (patch) | |
| tree | 5474e8f7b72d375c838f240ddae3a4f4a733409e /src/core/ngx_parse.c | |
| parent | 309928b941edf6e4a00ba873a70521c3ce3fc94d (diff) | |
Core: overflow detection in number parsing functions.
Diffstat (limited to 'src/core/ngx_parse.c')
| -rw-r--r-- | src/core/ngx_parse.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c index da24f4c75..79f22f05e 100644 --- a/src/core/ngx_parse.c +++ b/src/core/ngx_parse.c @@ -12,10 +12,9 @@ ssize_t ngx_parse_size(ngx_str_t *line) { - u_char unit; - size_t len; - ssize_t size; - ngx_int_t scale; + u_char unit; + size_t len; + ssize_t size, scale, max; len = line->len; unit = line->data[len - 1]; @@ -24,21 +23,24 @@ ngx_parse_size(ngx_str_t *line) case 'K': case 'k': len--; + max = NGX_MAX_SIZE_T_VALUE / 1024; scale = 1024; break; case 'M': case 'm': len--; + max = NGX_MAX_SIZE_T_VALUE / (1024 * 1024); scale = 1024 * 1024; break; default: + max = NGX_MAX_SIZE_T_VALUE; scale = 1; } size = ngx_atosz(line->data, len); - if (size == NGX_ERROR) { + if (size == NGX_ERROR || size > max) { return NGX_ERROR; } @@ -51,10 +53,9 @@ ngx_parse_size(ngx_str_t *line) off_t ngx_parse_offset(ngx_str_t *line) { - u_char unit; - off_t offset; - size_t len; - ngx_int_t scale; + u_char unit; + off_t offset, scale, max; + size_t len; len = line->len; unit = line->data[len - 1]; @@ -63,27 +64,31 @@ ngx_parse_offset(ngx_str_t *line) case 'K': case 'k': len--; + max = NGX_MAX_OFF_T_VALUE / 1024; scale = 1024; break; case 'M': case 'm': len--; + max = NGX_MAX_OFF_T_VALUE / (1024 * 1024); scale = 1024 * 1024; break; case 'G': case 'g': len--; + max = NGX_MAX_OFF_T_VALUE / (1024 * 1024 * 1024); scale = 1024 * 1024 * 1024; break; default: + max = NGX_MAX_OFF_T_VALUE; scale = 1; } offset = ngx_atoof(line->data, len); - if (offset == NGX_ERROR) { + if (offset == NGX_ERROR || offset > max) { return NGX_ERROR; } |