details: https://hg.nginx.org/njs/rev/d67e5b627677
branches:
changeset: 2352:d67e5b627677
user: Dmitry Volyntsev <xei...@nginx.com>
date: Thu Jun 06 23:10:12 2024 -0700
description:
Fixed open byte overread in decodeURI() and decodeURIComponent().
Found by OSS-Fuzz and MemorySanitizer.
diffstat:
src/njs_string.c | 2 +-
src/test/njs_unit_test.c | 4 ++++
2 files changed, 5 insertions(+), 1 deletions(-)
diffs (33 lines):
diff -r 993e28c8eb84 -r d67e5b627677 src/njs_string.c
--- a/src/njs_string.c Wed Jun 05 18:23:18 2024 -0700
+++ b/src/njs_string.c Thu Jun 06 23:10:12 2024 -0700
@@ -4074,7 +4074,7 @@ njs_string_decode_uri(njs_vm_t *vm, njs_
n++;
} while (((cp << n) & 0x80));
- if (njs_slow_path(n > 4)) {
+ if (njs_slow_path(n > 4 || src + njs_length("%00") * (n - 1) > end)) {
goto uri_error;
}
diff -r 993e28c8eb84 -r d67e5b627677 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Wed Jun 05 18:23:18 2024 -0700
+++ b/src/test/njs_unit_test.c Thu Jun 06 23:10:12 2024 -0700
@@ -10016,13 +10016,17 @@ static njs_unit_test_t njs_test[] =
" '%',"
" '%0',"
" '%QQ',"
+ " '%C0%' + '0',"
" '%C0%10',"
+ " '%C0%80',"
" '%DC%C7',"
" '%80%81%82',"
" '%EF%5C%A0',"
" '%EF%A0%5E',"
+ " '%E0%EF%' + '0',"
" '%E0%EF%A0',"
" '%E0%A0%EF',"
+ " '%F0%A2%95%' + '0',"
" '%FF%A2%95%BB',"
"].every(v=>{try { decodeURI(v)} catch(e) {return e.name ==
'URIError'}})"),
njs_str("true")},
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
