|
 |
12c301 |
From f76275d4a91b28d687250525d3a0c5509bbd666f Mon Sep 17 00:00:00 2001
|
|
|
12c301 |
From: Sebastian Pipping <sebastian@pipping.org>
|
|
|
12c301 |
Date: Sun, 23 Sep 2018 21:30:39 +0200
|
|
|
12c301 |
Subject: [PATCH] UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex
|
|
|
12c301 |
|
|
|
12c301 |
---
|
|
|
12c301 |
lib/UriQuery.c | 14 ++++++++++++--
|
|
|
12c301 |
1 files changed, 12 insertions(+), 2 deletions(-)
|
|
|
12c301 |
|
|
|
12c301 |
diff --git a/lib/UriQuery.c b/lib/UriQuery.c
|
|
|
12c301 |
index 45acf5a..9165ec8 100644
|
|
|
12c301 |
--- a/lib/UriQuery.c
|
|
|
12c301 |
+++ b/lib/UriQuery.c
|
|
|
12c301 |
@@ -64,6 +64,10 @@
|
|
|
12c301 |
|
|
|
12c301 |
|
|
|
12c301 |
|
|
|
12c301 |
+#include <limits.h>
|
|
|
12c301 |
+
|
|
|
12c301 |
+
|
|
|
12c301 |
+
|
|
|
12c301 |
static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
|
|
|
12c301 |
const URI_TYPE(QueryList) * queryList,
|
|
|
12c301 |
int maxChars, int * charsWritten, int * charsRequired,
|
|
|
12c301 |
@@ -197,9 +201,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
|
|
|
12c301 |
const URI_CHAR * const value = queryList->value;
|
|
|
12c301 |
const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
|
|
|
12c301 |
const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
|
|
|
12c301 |
- const int keyRequiredChars = worstCase * keyLen;
|
|
|
12c301 |
+ int keyRequiredChars;
|
|
|
12c301 |
const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
|
|
|
12c301 |
- const int valueRequiredChars = worstCase * valueLen;
|
|
|
12c301 |
+ int valueRequiredChars;
|
|
|
12c301 |
+
|
|
|
12c301 |
+ if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
|
|
|
12c301 |
+ return URI_ERROR_OUTPUT_TOO_LARGE;
|
|
|
12c301 |
+ }
|
|
|
12c301 |
+ keyRequiredChars = worstCase * keyLen;
|
|
|
12c301 |
+ valueRequiredChars = worstCase * valueLen;
|
|
|
12c301 |
|
|
|
12c301 |
if (dest == NULL) {
|
|
|
12c301 |
if (firstItem == URI_TRUE) {
|