From 0310c2dff7fcaa09bd61bafee1db182fd3c491b8 Mon Sep 17 00:00:00 2001
From: Aaron Bannert <aaron@apache.org>
Date: Wed, 29 May 2002 06:42:58 +0000
Subject: [PATCH] Properly detect overflow when reading the hex chunk lines.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95342 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                      |  3 +++
 modules/http/http_protocol.c | 12 +++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0f97c22f55..83421d429a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.37
 
+  *) Detect overflow when reading the hex bytes forming a chunk line.
+     [Aaron Bannert]
+
   *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
      [James Tait <JTait@wyrddreams.demon.co.uk>]
 
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index cab5984578..0871a1c69b 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -859,7 +859,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
             apr_brigade_flatten(bb, line, &len);
 
             ctx->remaining = get_chunk_size(line);
-            /* Detect invalid chunk sizes. */
+            /* Detect chunksize error (such as overflow) */
             if (ctx->remaining < 0) {
                 apr_brigade_cleanup(bb);
                 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
@@ -908,7 +908,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
                 apr_brigade_flatten(bb, line, &len);
                 ctx->remaining = get_chunk_size(line);
 
-                /* Detect invalid chunk sizes. */
+                /* Detect chunksize error (such as overflow) */
                 if (ctx->remaining < 0) {
                     apr_brigade_cleanup(bb);
                     e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE,
@@ -1690,8 +1690,9 @@ AP_DECLARE(int) ap_should_client_block(request_rec *r)
 static long get_chunk_size(char *b)
 {
     long chunksize = 0;
+    size_t chunkbits = sizeof(long) * 8;
 
-    while (apr_isxdigit(*b)) {
+    while (apr_isxdigit(*b) && (chunkbits > 0)) {
         int xvalue = 0;
 
         if (*b >= '0' && *b <= '9') {
@@ -1705,8 +1706,13 @@ static long get_chunk_size(char *b)
         }
 
         chunksize = (chunksize << 4) | xvalue;
+        chunkbits -= 4;
         ++b;
     }
+    if (apr_isxdigit(*b) && (chunkbits <= 0)) {
+        /* overflow */
+        return -1;
+    }
 
     return chunksize;
 }
-- 
2.40.0