[nginx] Overflow detection in ngx_http_range_parse().

[Ruslan Ermilov]

details:   http://hg.nginx.org/nginx/rev/9653092a79fd
branches:  
changeset: 6013:9653092a79fd
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:24 2015 +0300
description:
Overflow detection in ngx_http_range_parse().

diffstat:

 src/http/modules/ngx_http_range_filter_module.c |  13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diffs (44 lines):

diff -r 550212836c8f -r 9653092a79fd src/http/modules/ngx_http_range_filter_module.c
--- a/src/http/modules/ngx_http_range_filter_module.c	Tue Mar 17 00:26:22 2015 +0300
+++ b/src/http/modules/ngx_http_range_filter_module.c	Tue Mar 17 00:26:24 2015 +0300
@@ -274,7 +274,7 @@ ngx_http_range_parse(ngx_http_request_t 
     ngx_uint_t ranges)
 {
     u_char            *p;
-    off_t              start, end, size, content_length;
+    off_t              start, end, size, content_length, cutoff, cutlim;
     ngx_uint_t         suffix;
     ngx_http_range_t  *range;
 
@@ -282,6 +282,9 @@ ngx_http_range_parse(ngx_http_request_t 
     size = 0;
     content_length = r->headers_out.content_length_n;
 
+    cutoff = NGX_MAX_OFF_T_VALUE / 10;
+    cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
     for ( ;; ) {
         start = 0;
         end = 0;
@@ -295,6 +298,10 @@ ngx_http_range_parse(ngx_http_request_t 
             }
 
             while (*p >= '0' && *p <= '9') {
+                if (start >= cutoff && (start > cutoff || *p - '0' > cutlim)) {
+                    return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+                }
+
                 start = start * 10 + *p++ - '0';
             }
 
@@ -321,6 +328,10 @@ ngx_http_range_parse(ngx_http_request_t 
         }
 
         while (*p >= '0' && *p <= '9') {
+            if (end >= cutoff && (end > cutoff || *p - '0' > cutlim)) {
+                return NGX_HTTP_RANGE_NOT_SATISFIABLE;
+            }
+
             end = end * 10 + *p++ - '0';
         }