From 3f6b8a6177f3197ddad82a6da2ff9b4704664f5d Mon Sep 17 00:00:00 2001
From: Matthew DeVore <matvore@google.com>
Date: Tue, 4 Jun 2019 10:57:04 -0700
Subject: [PATCH] url: do not read past end of buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

url_decode_internal could have been tricked into reading past the length
of the **query buffer if there are fewer than 2 characters after a % (in
a null-terminated string, % would have to be the last character).
Prevent this from happening by checking len before decoding the %
sequence.

Helped-by: René Scharfe <l.s.r@web.de>
Signed-off-by: Matthew DeVore <matvore@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/url.c b/url.c
index 25576c390b..9ea9d5611b 100644
--- a/url.c
+++ b/url.c
@@ -46,7 +46,7 @@ static char *url_decode_internal(const char **query, int len,
 			break;
 		}
 
-		if (c == '%') {
+		if (c == '%' && (len < 0 || len >= 3)) {
 			int val = hex2chr(q + 1);
 			if (0 <= val) {
 				strbuf_addch(out, val);
-- 
GitLab