mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().

Browse Source 
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).
This commit is contained in:
Valentin Bartenev 2016-02-12 16:36:20 +03:00
parent 531e6fbfd6
commit 822fc91b09
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/http/v2/ngx_http_v2_huff_encode.c
View File

@ -231,6 +231,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; buf = pending ? code << (sizeof(buf) * 8 - pending) : 0;
} }
if (pending == 0) {
return hlen;
}
buf |= (ngx_uint_t) -1 >> pending; buf |= (ngx_uint_t) -1 >> pending;
pending = ngx_align(pending, 8); pending = ngx_align(pending, 8);
@ -241,10 +245,10 @@ ngx_http_v2_huff_encode(u_char *src, size_t len, u_char *dst, ngx_uint_t lower)
buf >>= sizeof(buf) * 8 - pending; buf >>= sizeof(buf) * 8 - pending;
while (pending) { do {
pending -= 8; pending -= 8;
dst[hlen++] = (u_char) (buf >> pending); dst[hlen++] = (u_char) (buf >> pending);
} } while (pending);
return hlen; return hlen;
} }