From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 5 Jul 2019 06:34:06 +0000 (+0200)
Subject: http: fixes overflow in range parsing
X-Git-Tag: suricata-5.0.0-rc1~198
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d217e666;p=thirdparty%2Fsuricata.git

http: fixes overflow in range parsing
---

diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c
index a04196a74a..2f367daf7f 100644
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@@ -186,7 +186,7 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
 
     if (data[pos] == '*') {
         // case with size only
-        if (len < pos + 1 || data[pos+1] != '/') {
+        if (len <= pos + 1 || data[pos+1] != '/') {
             range->size = -1;
             return -1;
         }
@@ -196,13 +196,13 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
         // case with start and end
         range->start = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
         pos += last_pos;
-        if (len < pos + 1 || data[pos] != '-') {
+        if (len <= pos + 1 || data[pos] != '-') {
             return -1;
         }
         pos++;
         range->end = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
         pos += last_pos;
-        if (len < pos + 1 || data[pos] != '/') {
+        if (len <= pos + 1 || data[pos] != '/') {
             return -1;
         }
         pos++;