Ruby: Prevent a possible integer underflow

Coverity picked up a potential issue with the previous commit d9f5f1f ("Ruby: Handle response field arrays") in that a size_t could wrap around to SIZE_MAX - 1. This would happen if we were given an empty array of header values. Fixes: d9f5f1f ("Ruby: Handle response field arrays") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
nginx · Dec 13, 2023 · 88854cf · 88854cf
1 parent d9f5f1f
commit 88854cf
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/ruby/nxt_ruby.c b/src/ruby/nxt_ruby.c
@@ -914,8 +914,12 @@ nxt_ruby_hash_info(VALUE r_key, VALUE r_value, VALUE arg)
             len += RSTRING_LEN(item) + 2;   /* +2 for '; ' */
         }
 
+        if (arr_len > 0) {
+            len -= 2;
+        }
+
         headers_info->fields++;
-        headers_info->size += RSTRING_LEN(r_key) + len - 2;
+        headers_info->size += RSTRING_LEN(r_key) + len;
 
         return ST_CONTINUE;
     }
@@ -994,7 +998,9 @@ nxt_ruby_hash_add(VALUE r_key, VALUE r_value, VALUE arg)
             p = nxt_cpymem(p, "; ", 2);
         }
 
-        len -= 2;
+        if (arr_len > 0) {
+            len -= 2;
+        }
 
         *rc = nxt_unit_response_add_field(headers_info->req,
                                           RSTRING_PTR(r_key), key_len,