url: do not read past end of buffer

matvore · gitster · commit 3f6b8a6177f3 · 2019-06-04T14:48:06.000-07:00
url_decode_internal could have been tricked into reading past the length
of the **query buffer if there are fewer than 2 characters after a % (in
a null-terminated string, % would have to be the last character).
Prevent this from happening by checking len before decoding the %
sequence.

Helped-by: René Scharfe &lt;l.s.r@web.de&gt;
Signed-off-by: Matthew DeVore &lt;matvore@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/url.c b/url.c
@@ -46,7 +46,7 @@ static char *url_decode_internal(const char **query, int len,
 			break;
 		}
 
-		if (c == '%') {
+		if (c == '%' && (len < 0 || len >= 3)) {
 			int val = hex2chr(q + 1);
 			if (0 <= val) {
 				strbuf_addch(out, val);

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ static char url_decode_internal(const char *query, int len,`
`46`	`46`	`break;`
`47`	`47`	`}`
`48`	`48`
`49`		`- if (c == '%') {`
	`49`	`+ if (c == '%' && (len < 0 \|\| len >= 3)) {`
`50`	`50`	`int val = hex2chr(q + 1);`
`51`	`51`	`if (0 <= val) {`
`52`	`52`	`strbuf_addch(out, val);`