[hackers] [quark][PATCH] Fix overflow when calling strtonum in parse_range

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: José Miguel Sánchez García <soy.jmi2k_AT_gmail.com>
Date: Sat, 31 Oct 2020 21:58:26 +0000

The value passed as maxval, SIZE_MAX, doesn't fit on a long long int due
to signedness. It was causing legitimate range request to be discarded
as bad.

I tested it serving an mp4 and opening it with Firefox. A "range=0-" was
requested, and it triggered the bug.

---
 http.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/http.c b/http.c
index 1862dc4..d7b04e9 100644
--- a/http.c
+++ b/http.c
_AT_@ -478,10 +478,10 @@ parse_range(const char *str, size_t size, size_t *lower, size_t *upper)
 		 * last byte if 'last' is not given),
 		 * inclusively, and byte-numbering beginning at 0
 		 */
-		*lower = strtonum(first, 0, SIZE_MAX, &err);
+		*lower = strtonum(first, 0, LLONG_MAX, &err);
 		if (!err) {
 			if (last[0] != '\0') {
-				*upper = strtonum(last, 0, SIZE_MAX, &err);
+				*upper = strtonum(last, 0, LLONG_MAX, &err);
 			} else {
 				*upper = size - 1;
 			}
_AT_@ -513,7 +513,7 @@ parse_range(const char *str, size_t size, size_t *lower, size_t *upper)
 		 * use upper as a temporary storage for 'num',
 		 * as we know 'upper' is size - 1
 		 */
-		*upper = strtonum(last, 0, SIZE_MAX, &err);
+		*upper = strtonum(last, 0, LLONG_MAX, &err);
 		if (err) {
 			return S_BAD_REQUEST;
 		}
-- 
2.29.2

Received on Sat Oct 31 2020 - 22:58:26 CET

This archive was generated by hypermail 2.3.0 : Sat Oct 31 2020 - 23:00:33 CET