Author: remy.maucherat(a)jboss.com Date: 2014-05-28 04:30:29 -0400 (Wed, 28 May 2014) New Revision: 2428 Modified: branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java Log: Port CVE-2014-0075: Avoid overflow and use bit shift instead. Modified: branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-05-28 08:20:59 UTC (rev 2427) +++ branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-05-28 08:30:29 UTC (rev 2428) @@ -269,7 +269,7 @@ int result = 0; boolean eol = false; boolean crfound = false; - boolean readDigit = false; + int readDigit = 0; boolean trailer = false; while (!eol) { @@ -296,10 +296,10 @@ throw MESSAGES.invalidChunkHeader(); } else if (!trailer) { //don't read data after the trailer - if (HexUtils.DEC[buf[pos] & 0xff] != -1) { - readDigit = true; - result *= 16; - result += HexUtils.DEC[buf[pos]]; + int charValue = HexUtils.DEC[buf[pos] & 0xff]; + if (charValue != -1 && readDigit < 8) { + readDigit++; + result = (result << 4) | charValue; } else { //we shouldn't allow invalid, non hex characters //in the chunked header @@ -311,7 +311,7 @@ } - if (!readDigit || (result < 0)) + if (readDigit == 0 || (result < 0)) throw MESSAGES.invalidChunkHeader(); if (result == 0)