parse_content_length(): Fix integer overflow edge-case (OSS-Fuzz)

This completes commit 7cab422, where it was still possible to cause an integer overflow even after the fix, with input such as 2147483609, due to missing parentheses in the number equation. Fixes OSS-Fuzz#52112
OpenSIPS · Oct 7, 2022 · 837263b · 837263b
1 parent a5236a8
commit 837263b
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/parser/parse_content.c b/parser/parse_content.c
@@ -242,13 +242,13 @@ char* parse_content_length( char* buffer, char* end, int* length)
 	number = 0;
 	while (p<end && *p>='0' && *p<='9') {
 		/* do not actually cause an integer overflow, as it is UB! --liviu */
-		if (number > 214748363) {
-			LM_ERR("integer overflow risk at pos %d in len number [%.*s]\n",
+		if (number >= INT_MAX/10) {
+			LM_ERR("integer overflow risk at pos %d in length value [%.*s]\n",
 				(int)(p-buffer),(int)(end-buffer), buffer);
-			return 0;
+			return NULL;
 		}
 
-		number = number*10 + (*p)-'0';
+		number = number*10 + ((*p)-'0');
 		size ++;
 		p++;
 	}
@@ -268,7 +268,7 @@ char* parse_content_length( char* buffer, char* end, int* length)
 	return p;
 error:
 	LM_ERR("parse error near char [%d][%c]\n",*p,*p);
-	return 0;
+	return NULL;
 }