Handle overflow in max size calculation in basic_dynamic_body

fix #1581 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
2025-07-30 04:47:29 +02:00 · 2019-07-06 18:40:31 +02:00
parent 881405a816
commit 63ef7f65bc
3 changed files with 38 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,9 @@
+Version 264:
+
+* Handle overflow in max size calculation in `basic_dynamic_body`
+
+--------------------------------------------------------------------------------
+
 Version 263:

 * Update documentation
@ -135,7 +141,7 @@ Version 250:

 * Use SaxonHE in reference generation
 * Cleanup endianness conversions
-* Set parser status and flags even if body_limit_ has been reached 
+* Set parser status and flags even if body_limit_ has been reached

 --------------------------------------------------------------------------------

--- a/include/boost/beast/http/basic_dynamic_body.hpp
+++ b/include/boost/beast/http/basic_dynamic_body.hpp
@ -13,6 +13,7 @@
 #include <boost/beast/core/detail/config.hpp>
 #include <boost/beast/core/buffer_traits.hpp>
 #include <boost/beast/core/detail/buffer.hpp>
+#include <boost/beast/core/detail/clamp.hpp>
 #include <boost/beast/http/error.hpp>
 #include <boost/beast/http/message.hpp>
 #include <boost/optional.hpp>
@ -89,7 +90,7 @@ struct basic_dynamic_body
            error_code& ec)
        {
            auto const n = buffer_bytes(buffers);
-            if(body_.size() > body_.max_size() - n)
+            if(beast::detail::sum_exceeds(body_.size(), n, body_.max_size()))
            {
                ec = error::buffer_overflow;
                return 0;
--- a/test/beast/http/dynamic_body.cpp
+++ b/test/beast/http/dynamic_body.cpp
@ -39,7 +39,7 @@ public:
    }

    void
-    run() override
+    test_success()
    {
        std::string const s =
            "HTTP/1.1 200 OK\r\n"
@ -55,6 +55,34 @@ public:
        BEAST_EXPECT(buffers_to_string(m.body().data()) == "xyz");
        BEAST_EXPECT(to_string(m) == s);
    }
+
+    void
+    test_issue1581()
+    {
+        std::string const s =
+            "HTTP/1.1 200 OK\r\n"
+            "Server: test\r\n"
+            "Content-Length: 132\r\n"
+            "\r\n"
+            "xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz"
+            "xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz"
+            "xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz"
+            "xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz";
+        test::stream ts(ioc_, s);
+        response_parser<dynamic_body> p;
+        multi_buffer b;
+        p.get().body().max_size(64);
+        error_code ec;
+        read(ts, b, p, ec);
+        BEAST_EXPECT(ec == http::error::buffer_overflow);
+    }
+
+    void
+    run() override
+    {
+        test_success();
+        test_issue1581();
+    }
 };

 BEAST_DEFINE_TESTSUITE(beast,http,dynamic_body);