mirror of
https://github.com/cuberite/libevent.git
synced 2025-09-09 04:19:10 -04:00
Prevent size_t overflow in evhttp_htmlescape.
Modified the `html_replace' function so that it returns the length of the replacement string instead of the string itself. This is used to easily check for overflows of the `new_size' variable in the first for loop of the `evhttp_htmlescape' function, and thus potential out of bounds writes in the second for loop (if an overflow occurs in new_size, then new_size < old_size). Also check that new_size + 1 doesn't overflow in mm_malloc(new_size + 1). Removed the `scratch_space' variable from the `evhttp_htmlescape' function since it wasn't actually used; also removed the `buf' variable from the `evhttp_htmlescape' function since it was only used by `scratch_space'.
This commit is contained in:
Mansour Moufid
Nick Mathewson
parent
74760f1864
commit
06c51cdf93
52
http.c
52
http.c
@ -219,29 +219,30 @@ strsep(char **s, const char *del)
|
||||
}
|
||||
#endif
|
||||
|
||||
static const char *
|
||||
html_replace(char ch, char *buf)
|
||||
static size_t
|
||||
html_replace(const char ch, const char **escaped)
|
||||
{
|
||||
switch (ch) {
|
||||
case '<':
|
||||
return "<";
|
||||
*escaped = "<";
|
||||
return 4;
|
||||
case '>':
|
||||
return ">";
|
||||
*escaped = ">";
|
||||
return 4;
|
||||
case '"':
|
||||
return """;
|
||||
*escaped = """;
|
||||
return 6;
|
||||
case '\'':
|
||||
return "'";
|
||||
*escaped = "'";
|
||||
return 6;
|
||||
case '&':
|
||||
return "&";
|
||||
*escaped = "&";
|
||||
return 5;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Echo the character back */
|
||||
buf[0] = ch;
|
||||
buf[1] = '\0';
|
||||
|
||||
return buf;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -255,21 +256,34 @@ char *
|
||||
evhttp_htmlescape(const char *html)
|
||||
{
|
||||
size_t i;
|
||||
size_t new_size = 0, old_size = strlen(html);
|
||||
size_t new_size = 0, old_size = 0;
|
||||
char *escaped_html, *p;
|
||||
char scratch_space[2];
|
||||
|
||||
for (i = 0; i < old_size; ++i)
|
||||
new_size += strlen(html_replace(html[i], scratch_space));
|
||||
if (html == NULL)
|
||||
return (NULL);
|
||||
|
||||
old_size = strlen(html);
|
||||
for (i = 0; i < old_size; ++i) {
|
||||
const char *replaced = NULL;
|
||||
const size_t replace_size = html_replace(html[i], &replaced);
|
||||
if (replace_size > EV_SIZE_MAX - new_size) {
|
||||
event_warn("%s: html_replace overflow", __func__);
|
||||
return (NULL);
|
||||
}
|
||||
new_size += replace_size;
|
||||
}
|
||||
|
||||
if (new_size == EV_SIZE_MAX)
|
||||
return (NULL);
|
||||
p = escaped_html = mm_malloc(new_size + 1);
|
||||
if (escaped_html == NULL) {
|
||||
event_warn("%s: malloc(%ld)", __func__, (long)(new_size + 1));
|
||||
event_warn("%s: malloc(%lu)", __func__,
|
||||
(unsigned long)(new_size + 1));
|
||||
return (NULL);
|
||||
}
|
||||
for (i = 0; i < old_size; ++i) {
|
||||
const char *replaced = html_replace(html[i], scratch_space);
|
||||
size_t len = strlen(replaced);
|
||||
const char *replaced = &html[i];
|
||||
const size_t len = html_replace(html[i], &replaced);
|
||||
memcpy(p, replaced, len);
|
||||
p += len;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user