general/cpp-httplib
2
0
Fork 0
mirror of https://github.com/yhirose/cpp-httplib.git synced 2026-01-19 04:52:08 +00:00
Code Issues Projects Releases Wiki Activity

Fix #2324

Browse Source
This commit is contained in:
yhirose
2026-01-10 21:05:30 -05:00
parent a7e1d14b15
commit 1111219f17
1 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
httplib.h
View File

@@ -8982,13 +8982,26 @@ inline bool Server::read_content(Stream &strm, Request &req, Response &res) {
strm, req, res, strm, req, res,
// Regular // Regular
[&](const char *buf, size_t n) { [&](const char *buf, size_t n) {
// Prevent arithmetic overflow when checking sizes.
// Avoid computing (req.body.size() + n) directly because
// adding two unsigned `size_t` values can wrap around and
// produce a small result instead of indicating overflow.
// Instead, check using subtraction: ensure `n` does not
// exceed the remaining capacity `max_size() - size()`.
if (req.body.size() >= req.body.max_size() ||
n > req.body.max_size() - req.body.size()) {
return false;
}
// Limit decompressed body size to payload_max_length_ to protect // Limit decompressed body size to payload_max_length_ to protect
// against "zip bomb" attacks where a small compressed payload // against "zip bomb" attacks where a small compressed payload
// decompresses to a massive size. // decompresses to a massive size.
if (req.body.size() + n > payload_max_length_ || if (payload_max_length_ > 0 &&
req.body.size() + n > req.body.max_size()) { (req.body.size() >= payload_max_length_ ||
n > payload_max_length_ - req.body.size())) {
return false; return false;
} }
req.body.append(buf, n); req.body.append(buf, n);
return true; return true;
}, },