From 57d8756afd722b7a95a5e17916a8e36e83394300 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Tue, 12 Aug 2025 20:19:31 +0200
Subject: [PATCH] Fix integer overflow in actix_http::ws::Parser::parse

---
 actix-http/src/ws/frame.rs | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/actix-http/src/ws/frame.rs b/actix-http/src/ws/frame.rs
index 35b3f8e66..7147cc92a 100644
--- a/actix-http/src/ws/frame.rs
+++ b/actix-http/src/ws/frame.rs
@@ -94,11 +94,21 @@ impl Parser {
             Some(res) => res,
         };
 
+        let frame_len = match idx.checked_add(length) {
+            Some(len) => len,
+            None => return Err(ProtocolError::Overflow),
+        };
+
         // not enough data
-        if src.len() < idx + length {
+        if src.len() < frame_len {
             let min_length = min(length, max_size);
-            if src.capacity() < idx + min_length {
-                src.reserve(idx + min_length - src.capacity());
+            let required_cap = match idx.checked_add(min_length) {
+                Some(cap) => cap,
+                None => return Err(ProtocolError::Overflow),
+            };
+
+            if src.capacity() < required_cap {
+                src.reserve(required_cap - src.capacity());
             }
             return Ok(None);
         }
@@ -402,4 +412,14 @@ mod tests {
         Parser::write_close(&mut buf, None, false);
         assert_eq!(&buf[..], &vec![0x88, 0x00][..]);
     }
+
+    #[test]
+    fn test_parse_length_overflow() {
+        let buf: [u8; 14] = [
+            0x0a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x0e, 0x8f,
+        ];
+        let mut buf = BytesMut::from(&buf[..]);
+        let result = Parser::parse(&mut buf, true, 65536);
+        assert!(matches!(result, Err(ProtocolError::Overflow)));
+    }
 }