fix integer overflow in chunked http parser

2019-07-29 22:09:15 -07:00 · 2019-07-29 22:09:15 -07:00 · e539846266
parent b1b03a0d77
commit e539846266
3 changed files with 21 additions and 1 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+	* fix integer overflow in http parser
 	* improve sanitation of symlinks, to support more complex link targets
 	* add DHT routing table affinity for BEP 42 nodes
 	* add torrent_info constructor overloads to control torrent file limits
--- a/src/http_parser.cpp
+++ b/src/http_parser.cpp
@ -378,7 +378,8 @@ restart_response:
 					int header_size;
 					if (parse_chunk_header(buf, &chunk_size, &header_size))
 					{
-						if (chunk_size < 0)
+						if (chunk_size < 0
+							|| chunk_size > std::numeric_limits<std::int64_t>::max() - m_cur_chunk_end - header_size)
 						{
 							m_state = error_state;
 							error = true;
--- a/test/test_http_parser.cpp
+++ b/test/test_http_parser.cpp
@ -529,6 +529,24 @@ TORRENT_TEST(chunked_encoding)
 	TEST_CHECK(body == span<char const>("test12340123456789abcdef", 24));
 }

+TORRENT_TEST(chunked_encoding_overflow)
+{
+	char const chunked_input[] =
+		"HTTP/1.1 200 OK\r\n"
+		"Transfer-Encoding: chunked\r\n"
+		"\r\n"
+		"7FFFFFFFFFFFFFBF\r\n";
+
+	http_parser parser;
+	int payload;
+	int protocol;
+	bool error = false;
+	std::tie(payload, protocol) = parser.incoming(chunked_input, error);
+
+	// it should have encountered an error
+	TEST_CHECK(error == true);
+}
+
 TORRENT_TEST(invalid_content_length)
 {
 	char const chunked_input[] =