quark

quark web server
git clone git://git.suckless.org/quark
Log | Files | Refs | LICENSE
commit 5ad0df91757fbc577ffceeca633725e962da345d
parent a982fa636704a436c3d1016b1f82806f607b7556
Author: HushBugger <hushbugger@posteo.net>
Date:   Tue, 16 Aug 2022 22:37:50 +0200

Fix buffer over-read in decode()

The format specifier for parsing percent-formatted characters uses a
maximum number of digits, not an exact number of digits.

If the hex number has only one digit this will skip a character,
potentially pointing past the terminating null byte.

Diffstat:

Mhttp.c | 10++++++----


1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/http.c b/http.c
@@ -135,12 +135,14 @@ decode(const char src[PATH_MAX], char dest[PATH_MAX])
 	uint8_t n;
 	const char *s;
 
-	for (s = src, i = 0; *s; s++, i++) {
-		if (*s == '%' && (sscanf(s + 1, "%2hhx", &n) == 1)) {
+	for (s = src, i = 0; *s; i++) {
+		if (*s == '%' && isxdigit((unsigned char)s[1]) &&
+		    isxdigit((unsigned char)s[2])) {
+			sscanf(s + 1, "%2hhx", &n);
 			dest[i] = n;
-			s += 2;
+			s += 3;
 		} else {
-			dest[i] = *s;
+			dest[i] = *s++;
 		}
 	}
 	dest[i] = '\0';