- correct package name

[m6w6/ext-http] / http_api.c

diff --git a/http_api.c b/http_api.c
index eec41daa0d7068d964cc26ab7377e15dc6b78fba..eebfeb2ef80840c9f2f53bb46b3782413941dcea 100644 (file)
--- a/http_api.c
+++ b/http_api.c
@@ -295,24 +295,28 @@ PHP_HTTP_API const char *_http_chunked_decode(const char *encoded, size_t encode
 {
        const char *e_ptr;
        char *d_ptr;
+       long rest;
        
        *decoded_len = 0;
        *decoded = ecalloc(1, encoded_len);
        d_ptr = *decoded;
        e_ptr = encoded;
 
-       while (((e_ptr - encoded) - encoded_len) > 0) {
-               size_t chunk_len = 0, EOL_len = 0;
-               int eol_mismatch = 0;
+       while ((rest = encoded + encoded_len - e_ptr) > 0) {
+               long chunk_len = 0;
+               int EOL_len = 0, eol_mismatch = 0;
                char *n_ptr;
 
                chunk_len = strtol(e_ptr, &n_ptr, 16);
 
                /* check if:
                 * - we could not read in chunk size
+                * - we got a negative chunk size
+                * - chunk size is greater then remaining size
                 * - chunk size is not followed by (CR)LF|NUL
                 */
-               if ((n_ptr == e_ptr) || (*n_ptr && (eol_mismatch = n_ptr != http_locate_eol(e_ptr, &EOL_len)))) {
+               if (    (n_ptr == e_ptr) ||     (chunk_len < 0) || (chunk_len > rest) || 
+                               (*n_ptr && (eol_mismatch = (n_ptr != http_locate_eol(e_ptr, &EOL_len))))) {
                        /* don't fail on apperently not encoded data */
                        if (e_ptr == encoded) {
                                memcpy(*decoded, encoded, encoded_len);