Welcome! Log In Create A New Profile

Advanced

[nginx] HTTP/2: fixed undefined behavior in ngx_http_v2_huff_enc...

Valentin Bartenev
February 12, 2016 05:40PM
details: http://hg.nginx.org/nginx/rev/dcfe355dfda4
branches:
changeset: 6396:dcfe355dfda4
user: Valentin Bartenev <vbart@nginx.com>
date: Fri Feb 12 16:36:20 2016 +0300
description:
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().

When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).

diffstat:

src/http/v2/ngx_http_v2_huff_encode.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r ba3c2ca21aa5 -r dcfe355dfda4 src/http/v2/ngx_http_v2_huff_encode.c
--- a/src/http/v2/ngx_http_v2_huff_encode.c Thu Feb 11 15:35:36 2016 +0300
+++ b/src/http/v2/ngx_http_v2_huff_encode.c Fri Feb 12 16:36:20 2016 +0300
@@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, siz
buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
}

+ if (pending == 0) {
+ return hlen;
+ }
+
buf |= (ngx_uint_t) -1 >> pending;

pending = ngx_align(pending, 8);
@@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, siz

buf >>= sizeof(buf) * 8 - pending;

- while (pending) {
+ do {
pending -= 8;
dst[hlen++] = (u_char) (buf >> pending);
- }
+ } while (pending);

return hlen;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] HTTP/2: fixed undefined behavior in ngx_http_v2_huff_enc...

Valentin Bartenev 545 February 12, 2016 05:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 163
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready