make the chunk header parser properly fail at end of buffer, and not require zero terminated strings

This commit is contained in:
arvidn 2017-12-22 22:14:04 +01:00 committed by Arvid Norberg
parent b5d4bc5e62
commit 43d7f980d0
2 changed files with 23 additions and 3 deletions

View File

@ -39,6 +39,7 @@ POSSIBILITY OF SUCH DAMAGE.
#include "libtorrent/assert.hpp"
#include "libtorrent/parse_url.hpp" // for parse_url_components
#include "libtorrent/aux_/escape_string.hpp" // for read_until
#include "libtorrent/hex.hpp"
using namespace libtorrent;
@ -470,8 +471,27 @@ restart_response:
// empty line
// first, read the chunk length
*chunk_size = strtoll(pos, 0, 16);
if (*chunk_size < 0) return true;
boost::int64_t size = 0;
for (char const* i = pos; i != newline; ++i)
{
if (*i == '\r') continue;
if (*i == '\n') continue;
if (*i == ';') break;
int const digit = detail::hex_to_int(*i);
if (digit < 0)
{
*chunk_size = -1;
return true;
}
if (size >= std::numeric_limits<boost::int64_t>::max() / 16)
{
*chunk_size = -1;
return true;
}
size *= 16;
size += digit;
}
*chunk_size = size;
if (*chunk_size != 0)
{

View File

@ -566,6 +566,6 @@ TORRENT_TEST(invalid_chunk_afl)
boost::tuple<int, int, bool> const received
= feed_bytes(parser, reinterpret_cast<char const*>(invalid_chunked_input));
TEST_CHECK(boost::get<2>(received) == true);
TEST_CHECK(boost::get<2>(received) == false);
}