url: do not read past end of buffer

url_decode_internal could have been tricked into reading past the length of the **query buffer if there are fewer than 2 characters after a % (in a null-terminated string, % would have to be the last character). Prevent this from happening by checking len before decoding the % sequence. Helped-by: N René Scharfe <l.s.r@web.de> Signed-off-by: N Matthew DeVore <matvore@google.com> Signed-off-by: N Junio C Hamano <gitster@pobox.com>

url: do not read past end of buffer
url_decode_internal could have been tricked into reading past the length of the **query buffer if there are fewer than 2 characters after a % (in a null-terminated string, % would have to be the last character). Prevent this from happening by checking len before decoding the % sequence. Helped-by: N René Scharfe <l.s.r@web.de> Signed-off-by: N Matthew DeVore <matvore@google.com> Signed-off-by: N Junio C Hamano <gitster@pobox.com>
3f6b8a61 · Matthew DeVore · Junio C Hamano · aeb582a9 · 3f6b8a61
显示空白变更内容
内联并排

Showing with 1 addition and 1 deletion

url.c url.c +1 -1

未找到文件。
--- a/url.c
+++ b/url.c
@@ -46,7 +46,7 @@ static char *url_decode_internal(const char **query, int len,
 			break;
 		}

-		if (c == '%') {
+		if (c == '%' && (len < 0 || len >= 3)) {
 			int val = hex2chr(q + 1);
 			if (0 <= val) {
 				strbuf_addch(out, val);