Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-03 20:50:07 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix potentially overflowing arithmetic in cache range requests

Browse source
This commit is contained in:
Gregory Terzian 2019-03-14 21:38:28 +08:00
parent ecfb9c639a
commit 5836bd2fc0
1 changed files with 17 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

18
components/net/http_cache.rs
View file

@ -401,6 +401,10 @@ fn handle_range_request(
// whose body is in the ResponseBody::Receiving state. // whose body is in the ResponseBody::Receiving state.
(&(Bound::Included(beginning), Bound::Included(end)), Some(ref complete_resource)) => { (&(Bound::Included(beginning), Bound::Included(end)), Some(ref complete_resource)) => {
if let ResponseBody::Done(ref body) = *complete_resource.body.lock().unwrap() { if let ResponseBody::Done(ref body) = *complete_resource.body.lock().unwrap() {
if end == u64::max_value() {
// Prevent overflow on the addition below.
return None;
}
let b = beginning as usize; let b = beginning as usize;
let e = end as usize + 1; let e = end as usize + 1;
let requested = body.get(b..e); let requested = body.get(b..e);
@ -428,7 +432,7 @@ fn handle_range_request(
}, },
_ => continue, _ => continue,
}; };
if res_beginning - 1 < beginning && res_end + 1 > end { if res_beginning <= beginning && res_end >= end {
let resource_body = &*partial_resource.body.lock().unwrap(); let resource_body = &*partial_resource.body.lock().unwrap();
let requested = match resource_body { let requested = match resource_body {
&ResponseBody::Done(ref body) => { &ResponseBody::Done(ref body) => {
@ -474,6 +478,10 @@ fn handle_range_request(
} else { } else {
continue; continue;
}; };
if total == 0 {
// Prevent overflow in the below operations from occuring.
continue;
};
if res_beginning < beginning && res_end == total - 1 { if res_beginning < beginning && res_end == total - 1 {
let resource_body = &*partial_resource.body.lock().unwrap(); let resource_body = &*partial_resource.body.lock().unwrap();
let requested = match resource_body { let requested = match resource_body {
@ -519,6 +527,14 @@ fn handle_range_request(
} else { } else {
continue; continue;
}; };
if !(total >= res_beginning) ||
!(total >= res_end) ||
offset == 0 ||
offset == u64::max_value()
{
// Prevent overflow in the below operations from occuring.
continue;
}
if (total - res_beginning) > (offset - 1) && (total - res_end) < offset + 1 { if (total - res_beginning) > (offset - 1) && (total - res_end) < offset + 1 {
let resource_body = &*partial_resource.body.lock().unwrap(); let resource_body = &*partial_resource.body.lock().unwrap();
let requested = match resource_body { let requested = match resource_body {