Fix potential issue with heap buffer overflow.

etr · etr · commit bcd12d363fdc · 2020-11-22T17:05:35.000Z
Thanks to sgbhat2 for fuzztesting the library and finding out.
diff --git a/src/http_utils.cpp b/src/http_utils.cpp
@@ -33,6 +33,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <ctype.h>
 #include <fstream>
 #include <iomanip>
 #include <iterator>
@@ -304,12 +305,13 @@ size_t http_unescape(std::string& val)
 {
     if (val.empty()) return 0;
 
-    int rpos = 0;
-    int wpos = 0;
+    unsigned int rpos = 0;
+    unsigned int wpos = 0;
 
     unsigned int num;
+    unsigned int size = val.size();
 
-    while ('\0' != val[rpos])
+    while (rpos < size && val[rpos] != '\0')
     {
         switch (val[rpos])
         {
@@ -319,8 +321,8 @@ size_t http_unescape(std::string& val)
                 rpos++;
                 break;
             case '%':
-                if ( (1 == sscanf (val.substr(rpos + 1).c_str(), "%2x", &num)) ||
-                    (1 == sscanf (val.substr(rpos + 1).c_str(), "%2X", &num))
+                if (size > rpos + 2 && ((1 == sscanf (val.substr(rpos + 1, 2).c_str(), "%2x", &num)) ||
+                    (1 == sscanf (val.substr(rpos + 1, 2).c_str(), "%2X", &num)))
                 )
                 {
                     val[wpos] = (unsigned char) num;
