Prevent undefined behavior in decode_length

5a81f244 · Matt Rudary · 2b75aff3 · 5a81f244 · 5a81f244
Commit 5a81f244 authored Nov 11, 2016 by Matt Rudary
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

AUTHORS AUTHORS +1 -0

lib/nghttp2_hd.c lib/nghttp2_hd.c +5 -0

No files found.
--- a/AUTHORS
+++ b/AUTHORS
@@ -32,6 +32,7 @@ Etienne Cimon
 Fabian Möller
 Fabian Wiesel
 Gabi Davar
+Google Inc.
 Jacob Champion
 Jan-E
 Janusz Dziemidowicz

--- a/lib/nghttp2_hd.c
+++ b/lib/nghttp2_hd.c
@@ -864,6 +864,11 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
  for (; in != last; ++in, shift += 7) {
    uint32_t add = *in & 0x7f;

+    if (shift >= 32) {
+      DEBUGF("inflate: shift exponent overflow\n");
+      return -1;
+    }
+
    if ((UINT32_MAX >> shift) < add) {
      DEBUGF("inflate: integer overflow on shift\n");
      return -1;