Protect from length overflows

benaadams · benaadams · commit 1d26e56a0660 · 2015-12-25T01:02:55.000Z
diff --git a/src/Microsoft.AspNet.Server.Kestrel/Infrastructure/MemoryPoolIterator2.cs b/src/Microsoft.AspNet.Server.Kestrel/Infrastructure/MemoryPoolIterator2.cs
@@ -514,21 +514,25 @@ public int GetLength(MemoryPoolIterator2 end)
             var block = _block;
             var index = _index;
             var length = 0;
-            while (true)
+
+            checked
             {
-                if (block == end._block)
-                {
-                    return length + end._index - index;
-                }
-                else if (block.Next == null)
+                while (true)
                 {
-                    throw new InvalidOperationException("end did not follow iterator");
-                }
-                else
-                {
-                    length += block.End - index;
-                    block = block.Next;
-                    index = block.Start;
+                    if (block == end._block)
+                    {
+                        return length + end._index - index;
+                    }
+                    else if (block.Next == null)
+                    {
+                        throw new InvalidOperationException("end did not follow iterator");
+                    }
+                    else
+                    {
+                        length += block.End - index;
+                        block = block.Next;
+                        index = block.Start;
+                    }
                 }
             }
         }
diff --git a/src/Microsoft.AspNet.Server.Kestrel/Infrastructure/MemoryPoolIterator2Extensions.cs b/src/Microsoft.AspNet.Server.Kestrel/Infrastructure/MemoryPoolIterator2Extensions.cs
@@ -81,6 +81,11 @@ public unsafe static string GetAsciiString(this MemoryPoolIterator2 start, Memor
             {
                 return null;
             }
+            else if (length > int.MaxValue - 12)
+            {
+                // protect unrolled loop from using negative values in extremis
+                throw new ArgumentOutOfRangeException(nameof(end));
+            }
 
             // Bytes out of the range of ascii are treated as "opaque data" 
             // and kept in string as a char value that casts to same input byte value

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,11 @@ public unsafe static string GetAsciiString(this MemoryPoolIterator2 start, Memor`
`81`	`81`	`{`
`82`	`82`	`return null;`
`83`	`83`	`}`
	`84`	`+ else if (length > int.MaxValue - 12)`
	`85`	`+ {`
	`86`	`+ // protect unrolled loop from using negative values in extremis`
	`87`	`+ throw new ArgumentOutOfRangeException(nameof(end));`
	`88`	`+ }`
`84`	`89`
`85`	`90`	`// Bytes out of the range of ascii are treated as "opaque data"`
`86`	`91`	`// and kept in string as a char value that casts to same input byte value`