diff options
author | Dan Winship <danw@gnome.org> | 2017-08-07 09:59:49 -0400 |
---|---|---|
committer | Dan Winship <danw@gnome.org> | 2017-08-07 09:59:49 -0400 |
commit | 7aa41c2f6b2b159a2503cf02dc203cbf1493c4b7 (patch) | |
tree | d2c29755678103d4c4e88000c1a71913b2b7a7de | |
parent | 7cd1e328ec3243da7a0e83ba860ae83b8b1438e5 (diff) | |
download | libsoup-7aa41c2f6b2b159a2503cf02dc203cbf1493c4b7.tar.gz |
Fix out-of-bounds read in URI parsing
https://bugzilla.gnome.org/show_bug.cgi?id=785042
-rw-r--r-- | libsoup/soup-uri.c | 2 | ||||
-rw-r--r-- | tests/uri-parsing.c | 6 |
2 files changed, 6 insertions, 2 deletions
diff --git a/libsoup/soup-uri.c b/libsoup/soup-uri.c index 3eafd873..32ade292 100644 --- a/libsoup/soup-uri.c +++ b/libsoup/soup-uri.c @@ -453,7 +453,7 @@ soup_uri_new_with_base (SoupURI *base, const char *uri_string) } /* Remove "<segment>/.." at end where <segment> != ".." */ q = strrchr (uri->path, '/'); - if (q && !strcmp (q, "/..")) { + if (q && q != uri->path && !strcmp (q, "/..")) { p = q - 1; while (p > uri->path && *p != '/') p--; diff --git a/tests/uri-parsing.c b/tests/uri-parsing.c index ba3b1290..85f09b9e 100644 --- a/tests/uri-parsing.c +++ b/tests/uri-parsing.c @@ -151,7 +151,11 @@ static struct { { "http://[fe80::dead:beef%25em1]/", "http://[fe80::dead:beef%25em1]/", NULL, { "http", NULL, NULL, "fe80::dead:beef%em1", 80, "/", NULL, NULL } }, { "http://[fe80::dead:beef%10]/", "http://[fe80::dead:beef%2510]/", NULL, - { "http", NULL, NULL, "fe80::dead:beef%10", 80, "/", NULL, NULL } } + { "http", NULL, NULL, "fe80::dead:beef%10", 80, "/", NULL, NULL } }, + + /* ".." past top */ + { "http://example.com/..", "http://example.com/", "785042", + { "http", NULL, NULL, "example.com", 80, "/", NULL, NULL } }, }; static int num_abs_tests = G_N_ELEMENTS(abs_tests); |