1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From f12d0cdb42d4e74dffe1525d4062c815c48ac57a Mon Sep 17 00:00:00 2001
From: tildeslash <info@tildeslash.com>
Date: Mon, 4 Mar 2019 15:49:08 +0100
Subject: [PATCH] Fixed: Buffer overrun vulnerability in URL decoding. Thanks
to Zack Flack for report.
---
src/util.c | 16 +++++++++-------
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/util.c b/src/util.c
index 401a9bc..ab1b48d 100644
--- a/src/util.c
+++ b/src/util.c
@@ -234,7 +234,7 @@ static char *is_str_defined(char *s) {
/**
* Convert a hex char to a char
*/
-static char x2c(char *hex) {
+static char _x2c(char *hex) {
register char digit;
digit = ((hex[0] >= 'A') ? ((hex[0] & 0xdf) - 'A')+10 : (hex[0] - '0'));
digit *= 16;
@@ -525,7 +525,7 @@ void Util_handleEscapes(char *buf) {
*/
*(buf + insertpos) = *(buf+editpos);
} else {
- *(buf + insertpos) = x2c(&buf[editpos + 3]);
+ *(buf + insertpos) = _x2c(&buf[editpos + 3]);
editpos += 4;
}
}
@@ -561,7 +561,7 @@ int Util_handle0Escapes(char *buf) {
switch (*(buf + editpos + 1)) {
case '0':
if (*(buf + editpos + 2) == 'x') {
- *(buf + insertpos) = x2c(&buf[editpos+3]);
+ *(buf + insertpos) = _x2c(&buf[editpos+3]);
editpos += 4;
}
break;
@@ -1551,13 +1551,15 @@ char *Util_urlDecode(char *url) {
if (url && *url) {
register int x, y;
for (x = 0, y = 0; url[y]; x++, y++) {
- if ((url[x] = url[y]) == '+')
+ if (url[y] == '+') {
url[x] = ' ';
- else if (url[x] == '%') {
- if (! (url[x + 1] && url[x + 2]))
+ } else if (url[y] == '%') {
+ if (! url[y + 1] || ! url[y + 2])
break;
- url[x] = x2c(url + y + 1);
+ url[x] = _x2c(url + y + 1);
y += 2;
+ } else {
+ url[x] = url[y];
}
}
url[x] = 0;
--
2.10.5
|