From f12d0cdb42d4e74dffe1525d4062c815c48ac57a Mon Sep 17 00:00:00 2001 From: tildeslash Date: Mon, 4 Mar 2019 15:49:08 +0100 Subject: [PATCH] Fixed: Buffer overrun vulnerability in URL decoding. Thanks to Zack Flack for report. --- src/util.c | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/util.c b/src/util.c index 401a9bc..ab1b48d 100644 --- a/src/util.c +++ b/src/util.c @@ -234,7 +234,7 @@ static char *is_str_defined(char *s) { /** * Convert a hex char to a char */ -static char x2c(char *hex) { +static char _x2c(char *hex) { register char digit; digit = ((hex[0] >= 'A') ? ((hex[0] & 0xdf) - 'A')+10 : (hex[0] - '0')); digit *= 16; @@ -525,7 +525,7 @@ void Util_handleEscapes(char *buf) { */ *(buf + insertpos) = *(buf+editpos); } else { - *(buf + insertpos) = x2c(&buf[editpos + 3]); + *(buf + insertpos) = _x2c(&buf[editpos + 3]); editpos += 4; } } @@ -561,7 +561,7 @@ int Util_handle0Escapes(char *buf) { switch (*(buf + editpos + 1)) { case '0': if (*(buf + editpos + 2) == 'x') { - *(buf + insertpos) = x2c(&buf[editpos+3]); + *(buf + insertpos) = _x2c(&buf[editpos+3]); editpos += 4; } break; @@ -1551,13 +1551,15 @@ char *Util_urlDecode(char *url) { if (url && *url) { register int x, y; for (x = 0, y = 0; url[y]; x++, y++) { - if ((url[x] = url[y]) == '+') + if (url[y] == '+') { url[x] = ' '; - else if (url[x] == '%') { - if (! (url[x + 1] && url[x + 2])) + } else if (url[y] == '%') { + if (! url[y + 1] || ! url[y + 2]) break; - url[x] = x2c(url + y + 1); + url[x] = _x2c(url + y + 1); y += 2; + } else { + url[x] = url[y]; } } url[x] = 0; -- 2.10.5