[hackers] [quark][PATCH] Fix buffer over-read in decode()

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: HushBugger <hushbugger_AT_posteo.net>
Date: Tue, 16 Aug 2022 17:42:50 +0000

The format specifier for parsing percent-formatted characters uses
a maximum number of digits, not an exact number of digits.

If the hex number has only one digit this will skip a character,
potentially pointing past the terminating null byte.

---
  http.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index 5b9dade..fb2dc42 100644
--- a/http.c
+++ b/http.c
_AT_@ -136,7 +136,8 @@ decode(const char src[PATH_MAX], char 
dest[PATH_MAX])
         const char *s;
         for (s = src, i = 0; *s; s++, i++) {
-               if (*s == '%' && (sscanf(s + 1, "%2hhx", &n) == 1)) {
+               if (*s == '%' && isxdigit(s[1]) && isxdigit(s[2])) {
+                       sscanf(s + 1, "%2hhx", &n);
                         dest[i] = n;
                         s += 2;
                 } else {
--
2.36.2

Received on Tue Aug 16 2022 - 19:42:50 CEST

This archive was generated by hypermail 2.3.0 : Tue Aug 16 2022 - 19:48:37 CEST