diff options
| author | Philip Withnall <withnall@endlessm.com> | 2020-07-01 13:01:32 +0100 |
|---|---|---|
| committer | Claudio Saavedra <csaavedra@igalia.com> | 2020-07-02 18:26:13 +0000 |
| commit | ab859a8adaf37e2cbdb11b4e4b825b872b93ed74 (patch) | |
| tree | 3107a7b49dc062e92eba3101ead540faea1c93e6 /po/fr.po | |
| parent | 7199743b074ff265dc69ba1b839ae3b6b9f3623b (diff) | |
| download | libsoup-ab859a8adaf37e2cbdb11b4e4b825b872b93ed74.tar.gz | |
soup-uri: Check string lengths before reading bytes of %-encoded chars
There are two instances in `SoupURI` where `g_ascii_isxdigit()` is
called two bytes ahead of the read pointer to check if a %-encoding is
valid. This is fine when the string being parsed is nul-terminated (as
the first `g_ascii_isxdigit()` call will safely return `FALSE`), but
will result in a read off the end of the buffer if it’s
length-terminated (and doesn’t happen to also be nul-terminated).
Thankfully, that’s not the case in any of the code paths in `SoupURI`
leading to these two instances, so this is not a security issue.
However, the functions should probably be fixed to do an appropriate
length check, just in case they get called from somewhere else in
future.
Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was
fuzzing the new `GUri` implementation in GLib, which is heavily based
off this code.
Includes two unit tests which don’t actually trigger the original
failure (as all strings passed into `SoupURI` are forced to be
nul-terminated), but would trigger it if the nul termination was not
present.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Diffstat (limited to 'po/fr.po')
0 files changed, 0 insertions, 0 deletions