Parenthesized ASCII-related calculations.

This also fixes potential undefined behaviour in the range and slice filter modules, caused by local overflows of signed integers in expressions.
ggbg · Jul 17, 2017 · 9197a3c · 9197a3c
1 parent 7b06d9c
commit 9197a3c
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 29 deletions.
diff --git a/src/core/ngx_parse_time.c b/src/core/ngx_parse_time.c
@@ -58,7 +58,7 @@ ngx_parse_http_time(u_char *value, size_t len)
             return NGX_ERROR;
         }
 
-        day = (*p - '0') * 10 + *(p + 1) - '0';
+        day = (*p - '0') * 10 + (*(p + 1) - '0');
         p += 2;
 
         if (*p == ' ') {
@@ -132,15 +132,15 @@ ngx_parse_http_time(u_char *value, size_t len)
         }
 
         year = (*p - '0') * 1000 + (*(p + 1) - '0') * 100
-               + (*(p + 2) - '0') * 10 + *(p + 3) - '0';
+               + (*(p + 2) - '0') * 10 + (*(p + 3) - '0');
         p += 4;
 
     } else if (fmt == rfc850) {
         if (*p < '0' || *p > '9' || *(p + 1) < '0' || *(p + 1) > '9') {
             return NGX_ERROR;
         }
 
-        year = (*p - '0') * 10 + *(p + 1) - '0';
+        year = (*p - '0') * 10 + (*(p + 1) - '0');
         year += (year < 70) ? 2000 : 1900;
         p += 2;
     }
@@ -161,7 +161,7 @@ ngx_parse_http_time(u_char *value, size_t len)
                 return NGX_ERROR;
             }
 
-            day = day * 10 + *p++ - '0';
+            day = day * 10 + (*p++ - '0');
         }
 
         if (end - p < 14) {
@@ -177,7 +177,7 @@ ngx_parse_http_time(u_char *value, size_t len)
         return NGX_ERROR;
     }
 
-    hour = (*p - '0') * 10 + *(p + 1) - '0';
+    hour = (*p - '0') * 10 + (*(p + 1) - '0');
     p += 2;
 
     if (*p++ != ':') {
@@ -188,7 +188,7 @@ ngx_parse_http_time(u_char *value, size_t len)
         return NGX_ERROR;
     }
 
-    min = (*p - '0') * 10 + *(p + 1) - '0';
+    min = (*p - '0') * 10 + (*(p + 1) - '0');
     p += 2;
 
     if (*p++ != ':') {
@@ -199,7 +199,7 @@ ngx_parse_http_time(u_char *value, size_t len)
         return NGX_ERROR;
     }
 
-    sec = (*p - '0') * 10 + *(p + 1) - '0';
+    sec = (*p - '0') * 10 + (*(p + 1) - '0');
 
     if (fmt == isoc) {
         p += 2;
@@ -216,7 +216,7 @@ ngx_parse_http_time(u_char *value, size_t len)
         }
 
         year = (*p - '0') * 1000 + (*(p + 1) - '0') * 100
-               + (*(p + 2) - '0') * 10 + *(p + 3) - '0';
+               + (*(p + 2) - '0') * 10 + (*(p + 3) - '0');
     }
 
     if (hour > 23 || min > 59 || sec > 59) {

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
@@ -178,7 +178,7 @@ ngx_vslprintf(u_char *buf, u_char *last, const char *fmt, va_list args)
             slen = (size_t) -1;
 
             while (*fmt >= '0' && *fmt <= '9') {
-                width = width * 10 + *fmt++ - '0';
+                width = width * 10 + (*fmt++ - '0');
             }
 
 
@@ -211,7 +211,7 @@ ngx_vslprintf(u_char *buf, u_char *last, const char *fmt, va_list args)
                     fmt++;
 
                     while (*fmt >= '0' && *fmt <= '9') {
-                        frac_width = frac_width * 10 + *fmt++ - '0';
+                        frac_width = frac_width * 10 + (*fmt++ - '0');
                     }
 
                     break;
@@ -1655,7 +1655,7 @@ ngx_unescape_uri(u_char **dst, u_char **src, size_t size, ngx_uint_t type)
             state = sw_usual;
 
             if (ch >= '0' && ch <= '9') {
-                ch = (u_char) ((decoded << 4) + ch - '0');
+                ch = (u_char) ((decoded << 4) + (ch - '0'));
 
                 if (type & NGX_UNESCAPE_REDIRECT) {
                     if (ch > '%' && ch < 0x7f) {
@@ -1675,7 +1675,7 @@ ngx_unescape_uri(u_char **dst, u_char **src, size_t size, ngx_uint_t type)
 
             c = (u_char) (ch | 0x20);
             if (c >= 'a' && c <= 'f') {
-                ch = (u_char) ((decoded << 4) + c - 'a' + 10);
+                ch = (u_char) ((decoded << 4) + (c - 'a') + 10);
 
                 if (type & NGX_UNESCAPE_URI) {
                     if (ch == '?') {

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
@@ -1486,7 +1486,7 @@ ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
                 return NGX_ERROR;
             }
 
-            ctx->code = ctx->code * 10 + ch - '0';
+            ctx->code = ctx->code * 10 + (ch - '0');
 
             if (++ctx->count == 3) {
                 state = sw_space_after_status;

diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
@@ -315,7 +315,7 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
                     return NGX_HTTP_RANGE_NOT_SATISFIABLE;
                 }
 
-                start = start * 10 + *p++ - '0';
+                start = start * 10 + (*p++ - '0');
             }
 
             while (*p == ' ') { p++; }
@@ -345,7 +345,7 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
                 return NGX_HTTP_RANGE_NOT_SATISFIABLE;
             }
 
-            end = end * 10 + *p++ - '0';
+            end = end * 10 + (*p++ - '0');
         }
 
         while (*p == ' ') { p++; }

diff --git a/src/http/modules/ngx_http_slice_filter_module.c b/src/http/modules/ngx_http_slice_filter_module.c
@@ -317,7 +317,7 @@ ngx_http_slice_parse_content_range(ngx_http_request_t *r,
             return NGX_ERROR;
         }
 
-        start = start * 10 + *p++ - '0';
+        start = start * 10 + (*p++ - '0');
     }
 
     while (*p == ' ') { p++; }
@@ -337,7 +337,7 @@ ngx_http_slice_parse_content_range(ngx_http_request_t *r,
             return NGX_ERROR;
         }
 
-        end = end * 10 + *p++ - '0';
+        end = end * 10 + (*p++ - '0');
     }
 
     end++;
@@ -362,7 +362,7 @@ ngx_http_slice_parse_content_range(ngx_http_request_t *r,
                 return NGX_ERROR;
             }
 
-            complete_length = complete_length * 10 + *p++ - '0';
+            complete_length = complete_length * 10 + (*p++ - '0');
         }
 
     } else {
@@ -479,7 +479,7 @@ ngx_http_slice_get_start(ngx_http_request_t *r)
             return 0;
         }
 
-        start = start * 10 + *p++ - '0';
+        start = start * 10 + (*p++ - '0');
     }
 
     return start;

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
@@ -742,7 +742,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
-            r->http_major = r->http_major * 10 + ch - '0';
+            r->http_major = r->http_major * 10 + (ch - '0');
 
             if (r->http_major > 1) {
                 return NGX_HTTP_PARSE_INVALID_VERSION;
@@ -784,7 +784,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
-            r->http_minor = r->http_minor * 10 + ch - '0';
+            r->http_minor = r->http_minor * 10 + (ch - '0');
             break;
 
         case sw_spaces_after_digit:
@@ -1518,7 +1518,7 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
 
         case sw_quoted_second:
             if (ch >= '0' && ch <= '9') {
-                ch = (u_char) ((decoded << 4) + ch - '0');
+                ch = (u_char) ((decoded << 4) + (ch - '0'));
 
                 if (ch == '%' || ch == '#') {
                     state = sw_usual;
@@ -1536,7 +1536,7 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
 
             c = (u_char) (ch | 0x20);
             if (c >= 'a' && c <= 'f') {
-                ch = (u_char) ((decoded << 4) + c - 'a' + 10);
+                ch = (u_char) ((decoded << 4) + (c - 'a') + 10);
 
                 if (ch == '?') {
                     state = sw_usual;
@@ -1701,7 +1701,7 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
                 return NGX_ERROR;
             }
 
-            r->http_major = r->http_major * 10 + ch - '0';
+            r->http_major = r->http_major * 10 + (ch - '0');
             break;
 
         /* the first digit of minor HTTP version */
@@ -1729,7 +1729,7 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
                 return NGX_ERROR;
             }
 
-            r->http_minor = r->http_minor * 10 + ch - '0';
+            r->http_minor = r->http_minor * 10 + (ch - '0');
             break;
 
         /* HTTP status code */
@@ -1742,7 +1742,7 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
                 return NGX_ERROR;
             }
 
-            status->code = status->code * 10 + ch - '0';
+            status->code = status->code * 10 + (ch - '0');
 
             if (++status->count == 3) {
                 state = sw_space_after_status;

diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
@@ -4503,7 +4503,7 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
             }
 
             if (*p >= '0' && *p <= '9') {
-                n = n * 10 + *p - '0';
+                n = n * 10 + (*p - '0');
                 continue;
             }
 
@@ -4531,7 +4531,7 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
             }
 
             if (*p >= '0' && *p <= '9') {
-                n = n * 10 + *p - '0';
+                n = n * 10 + (*p - '0');
                 continue;
             }
 
@@ -4554,7 +4554,7 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
             }
 
             if (*p >= '0' && *p <= '9') {
-                n = n * 10 + *p - '0';
+                n = n * 10 + (*p - '0');
                 continue;
             }