[trafficserver] branch 7.1.x updated: Fix an failed assertion in HttpSM::parse_range_and_compare

Mon, 11 Mar 2019 12:38:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

eze pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
     new 6428722  Fix an failed assertion in HttpSM::parse_range_and_compare
6428722 is described below

commit 6428722801cdb7132f514bd27313c938bbcc54d2
Author: fengshuaitao <[email protected]>
AuthorDate: Wed Jan 17 15:08:29 2018 +0800

    Fix an failed assertion in HttpSM::parse_range_and_compare
    
    Signed-off-by: fengshuaitao <[email protected]>
    (cherry picked from commit 8046477d6c871be61a9d2ec6b41f2524a3fde699)
---
 proxy/http/HttpSM.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 61b100f..3e86697 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -4259,6 +4259,8 @@ HttpSM::parse_range_and_compare(MIMEField *field, int64_t 
content_length)
   const char *s, *e, *tmp;
   RangeRecord *ranges = nullptr;
   int64_t start, end;
+  int64_t cutoff = INT64_MAX / 10;
+  int64_t cutlim = INT64_MAX % 10;
 
   ink_assert(field != nullptr && t_state.range_setup == 
HttpTransact::RANGE_NONE && t_state.ranges == nullptr);
 
@@ -4315,6 +4317,12 @@ HttpSM::parse_range_and_compare(MIMEField *field, 
int64_t content_length)
       start = -1;
     } else {
       for (start = 0; s < e && *s >= '0' && *s <= '9'; ++s) {
+        // check the int64 overflow in case of high gcc with O3 option
+        // thinking the start is always positive
+        if (start >= cutoff && (start > cutoff || *s - '0' > cutlim)) {
+          t_state.range_setup = HttpTransact::RANGE_NONE;
+          goto Lfaild;
+        }
         start = start * 10 + (*s - '0');
       }
       // skip last white spaces
@@ -4347,6 +4355,12 @@ HttpSM::parse_range_and_compare(MIMEField *field, 
int64_t content_length)
       end = content_length - 1;
     } else {
       for (end = 0; s < e && *s >= '0' && *s <= '9'; ++s) {
+        // check the int64 overflow in case of high gcc with O3 option
+        // thinking the start is always positive
+        if (end >= cutoff && (end > cutoff || *s - '0' > cutlim)) {
+          t_state.range_setup = HttpTransact::RANGE_NONE;
+          goto Lfaild;
+        }
         end = end * 10 + (*s - '0');
       }
       // skip last white spaces

Reply via email to