Author: aogburn Date: 2014-07-23 12:58:01 -0400 (Wed, 23 Jul 2014) New Revision: 2480 Modified: branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java Log: Merge CVE-2014-0075 to 2.1.x Modified: branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-18 20:34:47 UTC (rev 2479) +++ branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-23 16:58:01 UTC (rev 2480) @@ -267,7 +267,7 @@ int result = 0; boolean eol = false; boolean crfound = false; - boolean readDigit = false; + int readDigit = 0; boolean trailer = false; while (!eol) { @@ -294,10 +294,10 @@ throw new IOException("Invalid chunk header"); } else if (!trailer) { //don't read data after the trailer - if (HexUtils.DEC[buf[pos] & 0xff] != -1) { - readDigit = true; - result *= 16; - result += HexUtils.DEC[buf[pos]]; + int charValue = HexUtils.DEC[buf[pos] & 0xff]; + if (charValue != -1 && readDigit < 8) { + readDigit++; + result = (result << 4) | charValue; } else { //we shouldn't allow invalid, non hex characters //in the chunked header @@ -309,7 +309,7 @@ } - if (!readDigit || (result < 0)) + if (readDigit == 0 || (result < 0)) throw new IOException("Invalid chunk header"); if (result == 0) Property changes on: branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428