Browse Source

[core] bounds check while url-decoding

(thx helmut)

do not read-ahead past '\0' while url-decoding

lighttpd 1.4.60 could previously have read one byte of potentially
uninitialized data.  lighttpd detects the '\0' so there is no exposure
of data.  This also can not cause a crash in lighttpd 1.4.60 due to how
lighttpd 1.4.60 allocates memory for buffers in sizes (power-2 + 1),
and typical system malloc alignment of 4- or 8- bytes.
master
Glenn Strauss 2 months ago
parent
commit
07c8a6f056
  1. 6
      src/buffer.c

6
src/buffer.c

@ -753,9 +753,9 @@ void buffer_urldecode_path(buffer * const b) {
char *dst = src;
do {
/* *src == '%' */
unsigned char high = hex2int(*(src + 1));
unsigned char low = hex2int(*(src + 2));
if (0xFF != high && 0xFF != low) {
unsigned char high = ((unsigned char *)src)[1];
unsigned char low = high ? hex2int(((unsigned char *)src)[2]) : 0xFF;
if (0xFF != (high = hex2int(high)) && 0xFF != low) {
high = (high << 4) | low; /* map ctrls to '_' */
*dst = (high >= 32 && high != 127) ? high : '_';
src += 2;

Loading…
Cancel
Save