diff options
| author | Andrew Clayton <a.clayton@nginx.com> | 2023-12-13 02:04:38 +0000 |
|---|---|---|
| committer | Andrew Clayton <a.clayton@nginx.com> | 2023-12-13 03:20:25 +0000 |
| commit | 88854cf14688286f835f7177c6bfaa17f1962f67 (patch) | |
| tree | 0916ae15eabeda1c54cfdbdcefd8c2097ad60cae /src | |
| parent | d9f5f1fb741109cc232cedd3574aa587626789c1 (diff) | |
| download | unit-88854cf14688286f835f7177c6bfaa17f1962f67.tar.gz unit-88854cf14688286f835f7177c6bfaa17f1962f67.tar.bz2 | |
Ruby: Prevent a possible integer underflow
Coverity picked up a potential issue with the previous commit d9f5f1fb7
("Ruby: Handle response field arrays") in that a size_t could wrap
around to SIZE_MAX - 1.
This would happen if we were given an empty array of header values.
Fixes: d9f5f1fb7 ("Ruby: Handle response field arrays")
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/ruby/nxt_ruby.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/ruby/nxt_ruby.c b/src/ruby/nxt_ruby.c index 3a019c36..27b868fe 100644 --- a/src/ruby/nxt_ruby.c +++ b/src/ruby/nxt_ruby.c @@ -914,8 +914,12 @@ nxt_ruby_hash_info(VALUE r_key, VALUE r_value, VALUE arg) len += RSTRING_LEN(item) + 2; /* +2 for '; ' */ } + if (arr_len > 0) { + len -= 2; + } + headers_info->fields++; - headers_info->size += RSTRING_LEN(r_key) + len - 2; + headers_info->size += RSTRING_LEN(r_key) + len; return ST_CONTINUE; } @@ -994,7 +998,9 @@ nxt_ruby_hash_add(VALUE r_key, VALUE r_value, VALUE arg) p = nxt_cpymem(p, "; ", 2); } - len -= 2; + if (arr_len > 0) { + len -= 2; + } *rc = nxt_unit_response_add_field(headers_info->req, RSTRING_PTR(r_key), key_len, |