details: http://hg.nginx.org/nginx/rev/dcfe355dfda4
branches:
changeset: 6396:dcfe355dfda4
user: Valentin Bartenev <vb...@nginx.com>
date: Fri Feb 12 16:36:20 2016 +0300
description:
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.
Found by Coverity (CID 1352150).
diffstat:
src/http/v2/ngx_http_v2_huff_encode.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diffs (27 lines):
diff -r ba3c2ca21aa5 -r dcfe355dfda4 src/http/v2/ngx_http_v2_huff_encode.c
--- a/src/http/v2/ngx_http_v2_huff_encode.c Thu Feb 11 15:35:36 2016 +0300
+++ b/src/http/v2/ngx_http_v2_huff_encode.c Fri Feb 12 16:36:20 2016 +0300
@@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, siz
buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
}
+ if (pending == 0) {
+ return hlen;
+ }
+
buf |= (ngx_uint_t) -1 >> pending;
pending = ngx_align(pending, 8);
@@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, siz
buf >>= sizeof(buf) * 8 - pending;
- while (pending) {
+ do {
pending -= 8;
dst[hlen++] = (u_char) (buf >> pending);
- }
+ } while (pending);
return hlen;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
