cuberite/libevent
1
0
Fork 0
mirror of https://github.com/cuberite/libevent.git synced 2025-09-10 13:04:23 -04:00
Code Issues Packages Projects Releases Wiki Activity

pointer overflow checks for evhttp_uriencode

Browse Source 
Check to make sure pointer math is all OK.
This commit is contained in:
Mark Ellzey 2016-08-14 14:00:02 -07:00
parent 43eb56c7c7
commit 72afe4c93b
No known key found for this signature in database
GPG Key ID: F20A5EBD06A5B6C2
1 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
http.c
View File

@ -3073,14 +3073,33 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus)
struct evbuffer *buf = evbuffer_new(); struct evbuffer *buf = evbuffer_new();
const char *p, *end; const char *p, *end;
char *result; char *result;
ev_ssize_t c_len = len;
if (buf == NULL) if (buf == NULL) {
return (NULL); return (NULL);
}
if (len >= 0)
end = uri+len; if (len >= 0 && uri + len < uri) {
else if (uri + len < uri) {
end = uri+strlen(uri); return (NULL);
}
end = uri + len;
} else {
size_t slen = strlen(uri);
if (slen >= EV_SSIZE_MAX) {
/* we don't want to mix signed and unsigned */
return (NULL);
}
if (uri + slen < uri) {
return (NULL);
}
end = uri + slen;
}
for (p = uri; p < end; p++) { for (p = uri; p < end; p++) {
if (CHAR_IS_UNRESERVED(*p)) { if (CHAR_IS_UNRESERVED(*p)) {
@ -3091,10 +3110,13 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus)
evbuffer_add_printf(buf, "%%%02X", (unsigned char)(*p)); evbuffer_add_printf(buf, "%%%02X", (unsigned char)(*p));
} }
} }
evbuffer_add(buf, "", 1); /* NUL-terminator. */ evbuffer_add(buf, "", 1); /* NUL-terminator. */
result = mm_malloc(evbuffer_get_length(buf)); result = mm_malloc(evbuffer_get_length(buf));
if (result) if (result)
evbuffer_remove(buf, result, evbuffer_get_length(buf)); evbuffer_remove(buf, result, evbuffer_get_length(buf));
evbuffer_free(buf); evbuffer_free(buf);
return (result); return (result);