[...]
escape_with_table (cherokee_buffer_t *buffer,
1342 cherokee_buffer_t *src,
1343 uint32_t *is_char_escaped)
[...]
1346 const char *s,*s_next;
[...]
1359 s = src->buf;
1360 do {
1361 s_next = utf8_get_next_char (s);
1362
1363 /* It's single-byte character */
1364 if ((s_next - s) == 1) {
1365
1366 /* Check whether it has to be escaped */
1367 if (is_char_escaped[*s >> 5] & (1 << (*s & 0x1f))) {
[...]
in the line 1367 *s is used to index is_char_escaped table. Because *s is signed
then we can get (negative value) >> 5 which results in negative value, so
we access memory before is_char_escaped.
cherokee/buffer.c:
in the line 1367 *s is used to index is_char_escaped table. Because *s is signed
then we can get (negative value) >> 5 which results in negative value, so
we access memory before is_char_escaped.
Simple PoC to reproduce
test8 is a handler for proxy module
Patch for this issue:
Setup:
Ubuntu 18.04 64 bit
source code from github, commit 9a75e65
build command:
mkdir /var/www/test{1..20}; for i inseq 1 20; do echo test > test$i/test.html; donefound by: Mateusz Kocielski, Michał Dardas from LogicalTrust
The text was updated successfully, but these errors were encountered: