From 21290cf0f4bfa86fa34a61725d3893a0dbbe3ef7 Mon Sep 17 00:00:00 2001
From: twosee <twose@qq.com>
Date: Fri, 20 Nov 2020 14:31:59 +0800
Subject: [PATCH] Fix memory overread when parse form-data boundary (#3858)

---
 ext-src/swoole_http_request.cc | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ext-src/swoole_http_request.cc b/ext-src/swoole_http_request.cc
index cd6b1347c70..12802fc55d2 100644
--- a/ext-src/swoole_http_request.cc
+++ b/ext-src/swoole_http_request.cc
@@ -448,21 +448,26 @@ static int http_request_on_header_value(swoole_http_parser *parser, const char *
             ctx->request.post_form_urlencoded = 1;
         } else if (SW_STRCASECT(at, length, "multipart/form-data")) {
             offset = sizeof("multipart/form-data") - 1;
-            while (at[offset] == ' ' || at[offset] == ';') {
+            // skip ' ' and ';'
+            while (offset < length && (at[offset] == ' ' || at[offset] == ';')) {
                 offset++;
             }
+            // skip 'boundary='
             offset += sizeof("boundary=") - 1;
-
             int boundary_len = length - offset;
             char *boundary_str = (char *) at + offset;
-
-            // find ';'
-            char *tmp = (char *) memchr(boundary_str, ';', boundary_len);
-            if (tmp) {
-                boundary_len = tmp - boundary_str;
+            // find eof of boundary
+            if (boundary_len > 0) {
+                // find ';'
+                char *tmp = (char *) memchr(boundary_str, ';', boundary_len);
+                if (tmp) {
+                    boundary_len = tmp - boundary_str;
+                }
             }
             if (boundary_len <= 0) {
                 swWarn("invalid multipart/form-data body fd:%ld", ctx->fd);
+                /* make it same with protocol error */
+                ctx->parser.state = s_dead;
                 return -1;
             }
             // trim '"'