|
 |
12c301 |
From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001
|
|
|
12c301 |
From: Sebastian Pipping <sebastian@pipping.org>
|
|
|
12c301 |
Date: Sun, 23 Sep 2018 20:07:25 +0200
|
|
|
12c301 |
Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
|
|
|
12c301 |
|
|
|
12c301 |
Reported by Google Autofuzz team
|
|
|
12c301 |
---
|
|
|
12c301 |
lib/UriQuery.c | 1 +
|
|
|
12c301 |
test/test.cpp | 32 ++++++++++++++++++++++++++++++++
|
|
|
12c301 |
2 files changed, 33 insertions(+)
|
|
|
12c301 |
|
|
|
12c301 |
diff --git a/lib/UriQuery.c b/lib/UriQuery.c
|
|
|
12c301 |
index 5fd6b68..eb22157 100644
|
|
|
12c301 |
--- a/lib/UriQuery.c
|
|
|
12c301 |
+++ b/lib/UriQuery.c
|
|
|
12c301 |
@@ -219,6 +219,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
|
|
|
12c301 |
|
|
|
12c301 |
/* Copy key */
|
|
|
12c301 |
if (firstItem == URI_TRUE) {
|
|
|
12c301 |
+ ampersandLen = 1;
|
|
|
12c301 |
firstItem = URI_FALSE;
|
|
|
12c301 |
} else {
|
|
|
12c301 |
write[0] = _UT('&';;
|
|
|
12c301 |
diff --git a/test/test.cpp b/test/test.cpp
|
|
|
12c301 |
index 41e3912..dbb8adb 100644
|
|
|
12c301 |
--- a/test/test.cpp
|
|
|
12c301 |
+++ b/test/test.cpp
|
|
|
12c301 |
@@ -91,6 +91,7 @@ class UriSuite : public Suite {
|
|
|
12c301 |
TEST_ADD(UriSuite::testCrash_MakeOwner_Bug20080207)
|
|
|
12c301 |
TEST_ADD(UriSuite::testQueryList)
|
|
|
12c301 |
TEST_ADD(UriSuite::testQueryListPair)
|
|
|
12c301 |
+ TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
|
|
|
12c301 |
TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
|
|
|
12c301 |
}
|
|
|
12c301 |
|
|
|
12c301 |
@@ -1501,6 +1502,37 @@ Rule | Example | hostSet | absPath | emptySeg
|
|
|
12c301 |
testQueryListPairHelper("one=two=three=four", "one", "two=three=four", "one=two%3Dthree%3Dfour");
|
|
|
12c301 |
}
|
|
|
12c301 |
|
|
|
12c301 |
+ void testQueryCompositionMathWrite_GoogleAutofuzz113244572() {
|
|
|
12c301 |
+ UriQueryListA second = { .key = "\x11", .value = NULL, .next = NULL };
|
|
|
12c301 |
+ UriQueryListA first = { .key = "\x01", .value = "\x02", .next = &second };
|
|
|
12c301 |
+
|
|
|
12c301 |
+ const UriBool spaceToPlus = URI_TRUE;
|
|
|
12c301 |
+ const UriBool normalizeBreaks = URI_FALSE; /* for factor 3 but 6 */
|
|
|
12c301 |
+
|
|
|
12c301 |
+ const int charsRequired = (3 + 1 + 3) + 1 + (3);
|
|
|
12c301 |
+
|
|
|
12c301 |
+ {
|
|
|
12c301 |
+ // Minimum space to hold everything fine
|
|
|
12c301 |
+ const char * const expected = "%01=%02" "&" "%11";
|
|
|
12c301 |
+ char dest[charsRequired + 1];
|
|
|
12c301 |
+ int charsWritten;
|
|
|
12c301 |
+ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
|
|
|
12c301 |
+ &charsWritten, spaceToPlus, normalizeBreaks)
|
|
|
12c301 |
+ == URI_SUCCESS);
|
|
|
12c301 |
+ TEST_ASSERT(! strcmp(dest, expected));
|
|
|
12c301 |
+ TEST_ASSERT(charsWritten == strlen(expected) + 1);
|
|
|
12c301 |
+ }
|
|
|
12c301 |
+
|
|
|
12c301 |
+ {
|
|
|
12c301 |
+ // Previous math failed to take ampersand into account
|
|
|
12c301 |
+ char dest[charsRequired + 1 - 1];
|
|
|
12c301 |
+ int charsWritten;
|
|
|
12c301 |
+ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
|
|
|
12c301 |
+ &charsWritten, spaceToPlus, normalizeBreaks)
|
|
|
12c301 |
+ == URI_ERROR_OUTPUT_TOO_LARGE);
|
|
|
12c301 |
+ }
|
|
|
12c301 |
+ }
|
|
|
12c301 |
+
|
|
|
12c301 |
void testFreeCrash_Bug20080827() {
|
|
|
12c301 |
char const * const sourceUri = "abc";
|
|
|
12c301 |
char const * const baseUri = "http://www.example.org/";
|