[bitreq] Use saturating_add for chunked content-length accumulation

tnull · tnull · commit 931c3c84369d · 2026-01-15T13:18:02.000+01:00
Use saturating_add instead of += when accumulating content_length in
chunked transfer encoding. This prevents integer overflow on 32-bit
systems where a malicious server could send chunk sizes that cause
the accumulated length to wrap around.

Co-Authored-By: Claude AI
diff --git a/bitreq/src/response.rs b/bitreq/src/response.rs
@@ -584,7 +584,7 @@ macro_rules! define_read_methods {
                     return None;
                 }
                 *chunk_length = incoming_length;
-                *content_length += incoming_length;
+                *content_length = content_length.saturating_add(incoming_length);
             }
 
             if *chunk_length > 0 {

Original file line number	Diff line number	Diff line change
`@@ -584,7 +584,7 @@ macro_rules! define_read_methods {`
`584`	`584`	`return None;`
`585`	`585`	`}`
`586`	`586`	`*chunk_length = incoming_length;`
`587`		`- *content_length += incoming_length;`
	`587`	`+ *content_length = content_length.saturating_add(incoming_length);`
`588`	`588`	`}`
`589`	`589`
`590`	`590`	`if *chunk_length > 0 {`