[nginx] Autoindex: fixed possible integer overflow on 32-bit systems.

Vladimir Homutov vl at nginx.com
Tue Dec 25 13:11:49 UTC 2018


details:   https://hg.nginx.org/nginx/rev/a91b93f3f3e7
branches:  
changeset: 7435:a91b93f3f3e7
user:      Vladimir Homutov <vl at nginx.com>
date:      Tue Dec 25 12:59:24 2018 +0300
description:
Autoindex: fixed possible integer overflow on 32-bit systems.

diffstat:

 src/http/modules/ngx_http_autoindex_module.c |  66 +++++++++++++++++----------
 1 files changed, 42 insertions(+), 24 deletions(-)

diffs (117 lines):

diff -r e3b262e7fc88 -r a91b93f3f3e7 src/http/modules/ngx_http_autoindex_module.c
--- a/src/http/modules/ngx_http_autoindex_module.c	Mon Dec 24 16:30:10 2018 +0200
+++ b/src/http/modules/ngx_http_autoindex_module.c	Tue Dec 25 12:59:24 2018 +0300
@@ -434,7 +434,7 @@ ngx_http_autoindex_html(ngx_http_request
 {
     u_char                         *last, scale;
     off_t                           length;
-    size_t                          len, char_len, escape_html;
+    size_t                          len, entry_len, char_len, escape_html;
     ngx_tm_t                        tm;
     ngx_buf_t                      *b;
     ngx_int_t                       size;
@@ -499,17 +499,23 @@ ngx_http_autoindex_html(ngx_http_request
             entry[i].utf_len = entry[i].name.len;
         }
 
-        len += sizeof("<a href=\"") - 1
-            + entry[i].name.len + entry[i].escape
-            + 1                                          /* 1 is for "/" */
-            + sizeof("\">") - 1
-            + entry[i].name.len - entry[i].utf_len
-            + entry[i].escape_html
-            + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2
-            + sizeof("</a>") - 1
-            + sizeof(" 28-Sep-1970 12:00 ") - 1
-            + 20                                         /* the file size */
-            + 2;
+        entry_len = sizeof("<a href=\"") - 1
+                  + entry[i].name.len + entry[i].escape
+                  + 1                                    /* 1 is for "/" */
+                  + sizeof("\">") - 1
+                  + entry[i].name.len - entry[i].utf_len
+                  + entry[i].escape_html
+                  + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof(">") - 2
+                  + sizeof("</a>") - 1
+                  + sizeof(" 28-Sep-1970 12:00 ") - 1
+                  + 20                                   /* the file size */
+                  + 2;
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);
@@ -697,7 +703,7 @@ static ngx_buf_t *
 ngx_http_autoindex_json(ngx_http_request_t *r, ngx_array_t *entries,
     ngx_str_t *callback)
 {
-    size_t                       len;
+    size_t                       len, entry_len;
     ngx_buf_t                   *b;
     ngx_uint_t                   i;
     ngx_http_autoindex_entry_t  *entry;
@@ -714,15 +720,21 @@ ngx_http_autoindex_json(ngx_http_request
         entry[i].escape = ngx_escape_json(NULL, entry[i].name.data,
                                           entry[i].name.len);
 
-        len += sizeof("{  }," CRLF) - 1
-            + sizeof("\"name\":\"\"") - 1
-            + entry[i].name.len + entry[i].escape
-            + sizeof(", \"type\":\"directory\"") - 1
-            + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
+        entry_len = sizeof("{  }," CRLF) - 1
+                  + sizeof("\"name\":\"\"") - 1
+                  + entry[i].name.len + entry[i].escape
+                  + sizeof(", \"type\":\"directory\"") - 1
+                  + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
 
         if (entry[i].file) {
-            len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
+            entry_len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
         }
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);
@@ -841,7 +853,7 @@ ngx_http_autoindex_jsonp_callback(ngx_ht
 static ngx_buf_t *
 ngx_http_autoindex_xml(ngx_http_request_t *r, ngx_array_t *entries)
 {
-    size_t                          len;
+    size_t                          len, entry_len;
     ngx_tm_t                        tm;
     ngx_buf_t                      *b;
     ngx_str_t                       type;
@@ -859,13 +871,19 @@ ngx_http_autoindex_xml(ngx_http_request_
         entry[i].escape = ngx_escape_html(NULL, entry[i].name.data,
                                           entry[i].name.len);
 
-        len += sizeof("<directory></directory>" CRLF) - 1
-            + entry[i].name.len + entry[i].escape
-            + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
+        entry_len = sizeof("<directory></directory>" CRLF) - 1
+                  + entry[i].name.len + entry[i].escape
+                  + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
 
         if (entry[i].file) {
-            len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
+            entry_len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
         }
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);


More information about the nginx-devel mailing list