X-Git-Url: https://git.m6w6.name/?p=m6w6%2Fext-http;a=blobdiff_plain;f=http_api.c;h=eebfeb2ef80840c9f2f53bb46b3782413941dcea;hp=eec41daa0d7068d964cc26ab7377e15dc6b78fba;hb=ec76b279f999eaa62eeb83478f953ad477c6fe66;hpb=c04184b2188a60efed4753d7eef7f3952aed9cef

diff --git a/http_api.c b/http_api.c
index eec41da..eebfeb2 100644
--- a/http_api.c
+++ b/http_api.c
@@ -295,24 +295,28 @@ PHP_HTTP_API const char *_http_chunked_decode(const char *encoded, size_t encode
 {
 	const char *e_ptr;
 	char *d_ptr;
+	long rest;
 	
 	*decoded_len = 0;
 	*decoded = ecalloc(1, encoded_len);
 	d_ptr = *decoded;
 	e_ptr = encoded;
 
-	while (((e_ptr - encoded) - encoded_len) > 0) {
-		size_t chunk_len = 0, EOL_len = 0;
-		int eol_mismatch = 0;
+	while ((rest = encoded + encoded_len - e_ptr) > 0) {
+		long chunk_len = 0;
+		int EOL_len = 0, eol_mismatch = 0;
 		char *n_ptr;
 
 		chunk_len = strtol(e_ptr, &n_ptr, 16);
 
 		/* check if:
 		 * - we could not read in chunk size
+		 * - we got a negative chunk size
+		 * - chunk size is greater then remaining size
 		 * - chunk size is not followed by (CR)LF|NUL
 		 */
-		if ((n_ptr == e_ptr) || (*n_ptr && (eol_mismatch = n_ptr != http_locate_eol(e_ptr, &EOL_len)))) {
+		if (	(n_ptr == e_ptr) ||	(chunk_len < 0) || (chunk_len > rest) || 
+				(*n_ptr && (eol_mismatch = (n_ptr != http_locate_eol(e_ptr, &EOL_len))))) {
 			/* don't fail on apperently not encoded data */
 			if (e_ptr == encoded) {
 				memcpy(*decoded, encoded, encoded_len);