From bfcd6cb46a2163f00479620a3dc3ec48f9de4fa0 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 28 Feb 2022 11:19:49 +0100
Subject: [PATCH] range: validity check when end is bigger than size

Ticket: 5132

Down the line, HttpRangeOpenFileAux assumes the range has a
valid value when doing buflen = end - start + 1;
---
 rust/src/http2/range.rs  | 2 +-
 src/app-layer-htp-file.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rust/src/http2/range.rs b/rust/src/http2/range.rs
index 5adae63a47..f86e2188f9 100644
--- a/rust/src/http2/range.rs
+++ b/rust/src/http2/range.rs
@@ -77,7 +77,7 @@ fn http2_parse_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPConte
 
 pub fn http2_parse_check_content_range<'a>(input: &'a [u8]) -> IResult<&'a [u8], HTTPContentRange> {
     let (rem, v) = http2_parse_content_range(input)?;
-    if v.start > v.end {
+    if v.start > v.end || (v.end > 0 && v.size > 0 && v.end > v.size - 1) {
         return Err(Err::Error(make_error(rem, ErrorKind::Verify)));
     }
     return Ok((rem, v));
diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c
index 83fbf0dab3..bdbcd29322 100644
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@@ -196,7 +196,7 @@ static int HTPParseAndCheckContentRange(
     } else if (range->end == range->size - 1 && range->start == 0) {
         SCLogDebug("range without all information");
         return -3;
-    } else if (range->start > range->end) {
+    } else if (range->start > range->end || range->end > range->size - 1) {
         AppLayerDecoderEventsSetEventRaw(&htud->tx_data.events, HTTP_DECODER_EVENT_RANGE_INVALID);
         s->events++;
         SCLogDebug("invalid range");