Changes with nginx 1.6.3 07 Apr 2015v1.6.3nginx-1.6

    *) Feature: now the "tcp_nodelay" directive works with SPDY connections.

    *) Bugfix: in error handling.
       Thanks to Yichun Zhang and Daniil Bondarev.

    *) Bugfix: alerts "header already sent" appeared in logs if the
       "post_action" directive was used; the bug had appeared in 1.5.4.

    *) Bugfix: alerts "sem_post() failed" might appear in logs.

    *) Bugfix: in hash table handling.
       Thanks to Chris West.

    *) Bugfix: in integer overflow handling.
       Thanks to Régis Leroy.

1 files changed, 8 insertions, 4 deletions

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 02b4a0fd1..8d38a1920 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2104,6 +2104,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
             goto invalid;
 
         case sw_chunk_size:
+            if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+                goto invalid;
+            }
+
             if (ch >= '0' && ch <= '9') {
                 ctx->size = ctx->size * 16 + (ch - '0');
                 break;
@@ -2253,6 +2257,10 @@ data:
     ctx->state = state;
     b->pos = pos;
 
+    if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+        goto invalid;
+    }
+
     switch (state) {
 
     case sw_chunk_start:
@@ -2289,10 +2297,6 @@ data:
 
     }
 
-    if (ctx->size < 0 || ctx->length < 0) {
-        goto invalid;
-    }
-
     return rc;
 
 done: