Klaus Demo nginx / 910f330
Autoindex: fixed possible integer overflow on 32-bit systems. Vladimir Homutov 3 years ago
1 changed file(s) with 44 addition(s) and 26 deletion(s). Raw diff Collapse all Expand all
+44
-26
src/http/modules/ngx_http_autoindex_module.c less more
433433 {
434434 u_char *last, scale;
435435 off_t length;
436 size_t len, char_len, escape_html;
436 size_t len, entry_len, char_len, escape_html;
437437 ngx_tm_t tm;
438438 ngx_buf_t *b;
439439 ngx_int_t size;
498498 entry[i].utf_len = entry[i].name.len;
499499 }
500500
501 len += sizeof("<a href=\"") - 1
502 + entry[i].name.len + entry[i].escape
503 + 1 /* 1 is for "/" */
504 + sizeof("\">") - 1
505 + entry[i].name.len - entry[i].utf_len
506 + entry[i].escape_html
507 + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof("&gt;") - 2
508 + sizeof("</a>") - 1
509 + sizeof(" 28-Sep-1970 12:00 ") - 1
510 + 20 /* the file size */
511 + 2;
501 entry_len = sizeof("<a href=\"") - 1
502 + entry[i].name.len + entry[i].escape
503 + 1 /* 1 is for "/" */
504 + sizeof("\">") - 1
505 + entry[i].name.len - entry[i].utf_len
506 + entry[i].escape_html
507 + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof("&gt;") - 2
508 + sizeof("</a>") - 1
509 + sizeof(" 28-Sep-1970 12:00 ") - 1
510 + 20 /* the file size */
511 + 2;
512
513 if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
514 return NULL;
515 }
516
517 len += entry_len;
512518 }
513519
514520 b = ngx_create_temp_buf(r->pool, len);
696702 ngx_http_autoindex_json(ngx_http_request_t *r, ngx_array_t *entries,
697703 ngx_str_t *callback)
698704 {
699 size_t len;
705 size_t len, entry_len;
700706 ngx_buf_t *b;
701707 ngx_uint_t i;
702708 ngx_http_autoindex_entry_t *entry;
713719 entry[i].escape = ngx_escape_json(NULL, entry[i].name.data,
714720 entry[i].name.len);
715721
716 len += sizeof("{ }," CRLF) - 1
717 + sizeof("\"name\":\"\"") - 1
718 + entry[i].name.len + entry[i].escape
719 + sizeof(", \"type\":\"directory\"") - 1
720 + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
722 entry_len = sizeof("{ }," CRLF) - 1
723 + sizeof("\"name\":\"\"") - 1
724 + entry[i].name.len + entry[i].escape
725 + sizeof(", \"type\":\"directory\"") - 1
726 + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
721727
722728 if (entry[i].file) {
723 len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
724 }
729 entry_len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
730 }
731
732 if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
733 return NULL;
734 }
735
736 len += entry_len;
725737 }
726738
727739 b = ngx_create_temp_buf(r->pool, len);
840852 static ngx_buf_t *
841853 ngx_http_autoindex_xml(ngx_http_request_t *r, ngx_array_t *entries)
842854 {
843 size_t len;
855 size_t len, entry_len;
844856 ngx_tm_t tm;
845857 ngx_buf_t *b;
846858 ngx_str_t type;
858870 entry[i].escape = ngx_escape_html(NULL, entry[i].name.data,
859871 entry[i].name.len);
860872
861 len += sizeof("<directory></directory>" CRLF) - 1
862 + entry[i].name.len + entry[i].escape
863 + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
873 entry_len = sizeof("<directory></directory>" CRLF) - 1
874 + entry[i].name.len + entry[i].escape
875 + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
864876
865877 if (entry[i].file) {
866 len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
867 }
878 entry_len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
879 }
880
881 if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
882 return NULL;
883 }
884
885 len += entry_len;
868886 }
869887
870888 b = ngx_create_temp_buf(r->pool, len);