From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 2 Feb 2022 13:56:23 +0000 (+0100)
Subject: MINOR: quic: Possible overflow in qpack_get_varint()
X-Git-Tag: v2.6-dev2~165
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6842485a84c702dc2250b1d918c05799ff0f2a63;p=thirdparty%2Fhaproxy.git

MINOR: quic: Possible overflow in qpack_get_varint()

This should fix CID 375051 in GH 1536 where a signed integer expression (1 << bit)
which could overflow was compared to a uint64_t.
---

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 6c55495b27..3bfa8e98ee 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -67,8 +67,8 @@ static uint64_t qpack_get_varint(const unsigned char **buf, uint64_t *len_in, in
 	uint8_t shift = 0;
 
 	len--;
-	ret = *raw++ & ((1 << b) - 1);
-	if (ret != (uint64_t)((1 << b) - 1))
+	ret = *raw++ & ((1ULL << b) - 1);
+	if (ret != (uint64_t)((1ULL << b) - 1))
 		goto end;
 
 	while (len && (*raw & 128)) {