about summary refs log tree commit homepage
diff options
context:
space:
mode:
-rw-r--r--ext/unicorn_http/c_util.h8
-rw-r--r--test/unit/test_http_parser_ng.rb20
2 files changed, 26 insertions, 2 deletions
diff --git a/ext/unicorn_http/c_util.h b/ext/unicorn_http/c_util.h
index 8542b3d..ab1fc0e 100644
--- a/ext/unicorn_http/c_util.h
+++ b/ext/unicorn_http/c_util.h
@@ -108,8 +108,12 @@ static off_t parse_length(const char *value, size_t length)
 {
   off_t rv;
 
-  for (rv = 0; length-- && rv >= 0; ++value)
-    rv = step_incr(rv, *value, 10);
+  for (rv = 0; length-- && rv >= 0; ++value) {
+    if (*value >= '0' && *value <= '9')
+      rv = step_incr(rv, *value, 10);
+    else
+      return -1;
+  }
 
   return rv;
 }
diff --git a/test/unit/test_http_parser_ng.rb b/test/unit/test_http_parser_ng.rb
index 4980249..3b9111f 100644
--- a/test/unit/test_http_parser_ng.rb
+++ b/test/unit/test_http_parser_ng.rb
@@ -416,4 +416,24 @@ class HttpParserNgTest < Test::Unit::TestCase
     end
   end
 
+  def test_negative_content_length
+    req = {}
+    str = "PUT / HTTP/1.1\r\n" \
+          "Content-Length: -1\r\n" \
+          "\r\n"
+    assert_raises(HttpParserError) do
+      @parser.headers(req, str)
+    end
+  end
+
+  def test_invalid_content_length
+    req = {}
+    str = "PUT / HTTP/1.1\r\n" \
+          "Content-Length: zzzzz\r\n" \
+          "\r\n"
+    assert_raises(HttpParserError) do
+      @parser.headers(req, str)
+    end
+  end
+
 end