commit 5ad0df91757fbc577ffceeca633725e962da345d
Author: HushBugger <[email protected]>
AuthorDate: Tue Aug 16 22:37:50 2022 +0200
Commit: Laslo Hunhold <[email protected]>
CommitDate: Sun Feb 26 20:20:04 2023 +0100
Fix buffer over-read in decode()
The format specifier for parsing percent-formatted characters uses a
maximum number of digits, not an exact number of digits.
If the hex number has only one digit this will skip a character,
potentially pointing past the terminating null byte.
diff --git a/http.c b/http.c
index 5b9dade..36f8b1c 100644
--- a/http.c
+++ b/http.c
@@ -135,12 +135,14 @@ decode(const char src[PATH_MAX], char dest[PATH_MAX])
uint8_t n;
const char *s;
- for (s = src, i = 0; *s; s++, i++) {
- if (*s == '%' && (sscanf(s + 1, "%2hhx", &n) == 1)) {
+ for (s = src, i = 0; *s; i++) {
+ if (*s == '%' && isxdigit((unsigned char)s[1]) &&
+ isxdigit((unsigned char)s[2])) {
+ sscanf(s + 1, "%2hhx", &n);
dest[i] = n;
- s += 2;
+ s += 3;
} else {
- dest[i] = *s;
+ dest[i] = *s++;
}
}
dest[i] = '\0';
