Chromium Code Reviews Chromium Code Reviews
Issue 2819873002:
Avoid overflow on left shift in HpackVarintDecoder::Resume(). (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // HpackVarintDecoder decodes HPACK variable length unsigned integers. These | 5 // HpackVarintDecoder decodes HPACK variable length unsigned integers. These |
| 6 // integers are used to identify static or dynamic table index entries, to | 6 // integers are used to identify static or dynamic table index entries, to |
| 7 // specify string lengths, and to update the size limit of the dynamic table. | 7 // specify string lengths, and to update the size limit of the dynamic table. |
| 8 // | 8 // |
| 9 // The caller will need to validate that the decoded value is in an acceptable | 9 // The caller will need to validate that the decoded value is in an acceptable |
| 10 // range. | 10 // range. |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 88 | 88 |
| 89 // Resume decoding a variable length integer after an earlier | 89 // Resume decoding a variable length integer after an earlier |
| 90 // call to Start or StartExtended returned kDecodeInProgress. | 90 // call to Start or StartExtended returned kDecodeInProgress. |
| 91 DecodeStatus Resume(DecodeBuffer* db) { | 91 DecodeStatus Resume(DecodeBuffer* db) { |
| 92 CheckNotDone(); | 92 CheckNotDone(); |
| 93 do { | 93 do { |
| 94 if (db->Empty()) { | 94 if (db->Empty()) { |
| 95 return DecodeStatus::kDecodeInProgress; | 95 return DecodeStatus::kDecodeInProgress; |
| 96 } | 96 } |
| 97 uint8_t byte = db->DecodeUInt8(); | 97 uint8_t byte = db->DecodeUInt8(); |
| 98 if (offset_ == MaxOffset() && byte != 0) | |
|
xunjieli
2017/04/17 20:51:34
Can we change this to a while-loop to be more read
| |
| 99 break; | |
| 98 value_ += (byte & 0x7f) << offset_; | 100 value_ += (byte & 0x7f) << offset_; |
| 99 if ((byte & 0x80) == 0) { | 101 if ((byte & 0x80) == 0) { |
| 100 if (offset_ < MaxOffset() || byte == 0) { | 102 MarkDone(); |
| 101 MarkDone(); | 103 return DecodeStatus::kDecodeDone; |
| 102 return DecodeStatus::kDecodeDone; | |
| 103 } | |
| 104 break; | |
| 105 } | 104 } |
| 106 offset_ += 7; | 105 offset_ += 7; |
| 107 } while (offset_ <= MaxOffset()); | 106 } while (offset_ <= MaxOffset()); |
| 108 DLOG(WARNING) << "Variable length int encoding is too large or too long. " | 107 DLOG(WARNING) << "Variable length int encoding is too large or too long. " |
| 109 << DebugString(); | 108 << DebugString(); |
| 110 MarkDone(); | 109 MarkDone(); |
| 111 return DecodeStatus::kDecodeError; | 110 return DecodeStatus::kDecodeError; |
| 112 } | 111 } |
| 113 | 112 |
| 114 uint32_t value() const { | 113 uint32_t value() const { |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 172 // them from DebugString(). | 171 // them from DebugString(). |
| 173 uint32_t value_ = 0; | 172 uint32_t value_ = 0; |
| 174 uint32_t offset_ = 0; | 173 uint32_t offset_ = 0; |
| 175 }; | 174 }; |
| 176 | 175 |
| 177 std::ostream& operator<<(std::ostream& out, const HpackVarintDecoder& v); | 176 std::ostream& operator<<(std::ostream& out, const HpackVarintDecoder& v); |
| 178 | 177 |
| 179 } // namespace net | 178 } // namespace net |
| 180 | 179 |
| 181 #endif // NET_HTTP2_HPACK_DECODER_HPACK_VARINT_DECODER_H_ | 180 #endif // NET_HTTP2_HPACK_DECODER_HPACK_VARINT_DECODER_H_ |
| OLD | NEW |
