cuberite/libevent
1
0
Fork 0
mirror of https://github.com/cuberite/libevent.git synced 2025-09-08 11:53:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

pointer overflow checks for evhttp_uriencode

Browse Source 
Check to make sure pointer math is all OK.
This commit is contained in:
Mark Ellzey 2016-08-14 14:00:02 -07:00
parent 43eb56c7c7
commit 72afe4c93b
No known key found for this signature in database
GPG Key ID: F20A5EBD06A5B6C2
1 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
http.c
View File

@ -3073,14 +3073,33 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus)
struct evbuffer *buf = evbuffer_new();
const char *p, *end;
char *result;
ev_ssize_t c_len = len;
if (buf == NULL)
if (buf == NULL) {
return (NULL);
}
if (len >= 0)
end = uri+len;
else
end = uri+strlen(uri);
if (len >= 0 && uri + len < uri) {
if (uri + len < uri) {
return (NULL);
}
end = uri + len;
} else {
size_t slen = strlen(uri);
if (slen >= EV_SSIZE_MAX) {
/* we don't want to mix signed and unsigned */
return (NULL);
}
if (uri + slen < uri) {
return (NULL);
}
end = uri + slen;
}
for (p = uri; p < end; p++) {
if (CHAR_IS_UNRESERVED(*p)) {
@ -3091,10 +3110,13 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus)
evbuffer_add_printf(buf, "%%%02X", (unsigned char)(*p));
}
}
evbuffer_add(buf, "", 1); /* NUL-terminator. */
result = mm_malloc(evbuffer_get_length(buf));
if (result)
evbuffer_remove(buf, result, evbuffer_get_length(buf));
evbuffer_free(buf);
return (result);