From 29f259cc24a574574d4fdbd1681ad51124e93bda Mon Sep 17 00:00:00 2001
From: Guenter Obiltschnig <guenter.obiltschnig@appinf.com>
Date: Tue, 24 Jan 2017 13:11:41 +0100
Subject: [PATCH] fix a potential DoS vulnerability by restricting the length
 of the HTTP chunk size in chunked transfer encoding

---
 Net/src/HTTPChunkedStream.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Net/src/HTTPChunkedStream.cpp b/Net/src/HTTPChunkedStream.cpp
index 8c0b0ff48..e518cfc08 100644
--- a/Net/src/HTTPChunkedStream.cpp
+++ b/Net/src/HTTPChunkedStream.cpp
@@ -67,7 +67,8 @@ int HTTPChunkedStreamBuf::readFromDevice(char* buffer, std::streamsize length)
 		int ch = _session.get();
 		while (Poco::Ascii::isSpace(ch)) ch = _session.get();
 		std::string chunkLen;
-		while (Poco::Ascii::isHexDigit(ch)) { chunkLen += (char) ch; ch = _session.get(); }
+		while (Poco::Ascii::isHexDigit(ch) && chunkLen.size() < 8) { chunkLen += (char) ch; ch = _session.get(); }
+		if (ch != eof && !(Poco::Ascii::isSpace(ch) || ch == ';')) return eof;
 		while (ch != eof && ch != '\n') ch = _session.get();
 		unsigned chunk;
 		if (NumberParser::tryParseHex(chunkLen, chunk))