From cb602f178ccea7f0c790cf5510f7a29c017db954 Mon Sep 17 00:00:00 2001
From: Sergey Lyubka <lsm@cesanta.com>
Date: Mon, 23 Dec 2019 11:13:41 +0000
Subject: [PATCH] Fix int overflow in parse_mqtt()

PUBLISHED_FROM=f9106d2f746c67ae004aeab12685eaf9cd558cd8
---
 mongoose.c    | 4 ++--
 src/mg_mqtt.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/mongoose.c b/mongoose.c
index 31a2e1ea..4dfa76d8 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -10843,7 +10843,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
 
 MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
   uint8_t header;
-  size_t len = 0, len_len = 0;
+  uint32_t len, len_len; /* must be 32-bit, see #1055 */
   const char *p, *end, *eop = &io->buf[io->len];
   unsigned char lc = 0;
   int cmd;
@@ -10860,7 +10860,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
     len += (lc & 0x7f) << 7 * len_len;
     len_len++;
     if (!(lc & 0x80)) break;
-    if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
+    if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
   }
 
   end = p + len;
diff --git a/src/mg_mqtt.c b/src/mg_mqtt.c
index 9ab66bc6..2624ed39 100644
--- a/src/mg_mqtt.c
+++ b/src/mg_mqtt.c
@@ -23,7 +23,7 @@ static const char *scanto(const char *p, struct mg_str *s) {
 
 MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
   uint8_t header;
-  size_t len = 0, len_len = 0;
+  uint32_t len, len_len; /* must be 32-bit, see #1055 */
   const char *p, *end, *eop = &io->buf[io->len];
   unsigned char lc = 0;
   int cmd;
@@ -40,7 +40,7 @@ MG_INTERNAL int parse_mqtt(struct mbuf *io, struct mg_mqtt_message *mm) {
     len += (lc & 0x7f) << 7 * len_len;
     len_len++;
     if (!(lc & 0x80)) break;
-    if (len_len > 4) return MG_MQTT_ERROR_MALFORMED_MSG;
+    if (len_len > sizeof(len)) return MG_MQTT_ERROR_MALFORMED_MSG;
   }
 
   end = p + len;