Mercurial > hg > nginx
changeset 6396:dcfe355dfda4
HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.
Found by Coverity (CID 1352150).
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 12 Feb 2016 16:36:20 +0300 |
parents | ba3c2ca21aa5 |
children | 78f8ac479735 |
files | src/http/v2/ngx_http_v2_huff_encode.c |
diffstat | 1 files changed, 6 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2_huff_encode.c Thu Feb 11 15:35:36 2016 +0300 +++ b/src/http/v2/ngx_http_v2_huff_encode.c Fri Feb 12 16:36:20 2016 +0300 @@ -231,6 +231,10 @@ buf = pending ? code << (sizeof(buf) * 8 - pending) : 0; } + if (pending == 0) { + return hlen; + } + buf |= (ngx_uint_t) -1 >> pending; pending = ngx_align(pending, 8); @@ -241,10 +245,10 @@ buf >>= sizeof(buf) * 8 - pending; - while (pending) { + do { pending -= 8; dst[hlen++] = (u_char) (buf >> pending); - } + } while (pending); return hlen; }