[nginx] Overflow detection in ngx_http_range_parse().

Tue Apr 7 13:05:09 UTC 2015

details:   http://hg.nginx.org/nginx/rev/a77b625641c7
branches:  stable-1.6
changeset: 6087:a77b625641c7
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:24 2015 +0300
description:
Overflow detection in ngx_http_range_parse().

diffstat:

 src/http/modules/ngx_http_range_filter_module.c |  13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diffs (44 lines):

diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
--- a/src/http/modules/ngx_http_range_filter_module.c
+++ b/src/http/modules/ngx_http_range_filter_module.c
@@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t 
     ngx_uint_t ranges)
 {
     u_char            *p;
-    off_t              start, end, size, content_length;
+    off_t              start, end, size, content_length, cutoff, cutlim;
     ngx_uint_t         suffix;
     ngx_http_range_t  *range;
 
@@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t 
     size = 0;
     content_length = r->headers_out.content_length_n;
 
+    cutoff = NGX_MAX_OFF_T_VALUE / 10;
+    cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
     for ( ;; ) {
         start = 0;
         end = 0;
@@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t 
             }
 
             while (*p >= '0' && *p <= '9') {
+                if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) {
+                    return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+                }
+
                 start = start * 10 + *p++ - '0';
             }
 
@@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t 
         }
 
         while (*p >= '0' && *p <= '9') {
+            if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) {
+                return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+            }
+
             end = end * 10 + *p++ - '0';
         }
 

