|
| 1 | +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Alexander Borisov <lex.borisov@gmail.com> |
| 3 | +Date: Fri, 5 Jun 2026 22:13:32 +0300 |
| 4 | +Subject: [PATCH 8/8] URL: fixed uninitialized memory in the path buffer |
| 5 | + growth. |
| 6 | + |
| 7 | +When a path was long enough to outgrow the on-stack buffer, the first |
| 8 | +move to the heap didn't copy what was already written, so the start of |
| 9 | +the path could contain garbage. Also fixed the 'last' pointer after the |
| 10 | +move. |
| 11 | + |
| 12 | +Per report from Recep Asan (recep@asan.me) |
| 13 | +--- |
| 14 | + source/lexbor/url/url.c | 3 ++- |
| 15 | + 1 file changed, 2 insertions(+), 1 deletion(-) |
| 16 | + |
| 17 | +diff --git a/source/lexbor/url/url.c b/source/lexbor/url/url.c |
| 18 | +index 86bcf8f..b6c0a1e 100644 |
| 19 | +--- a/source/lexbor/url/url.c |
| 20 | ++++ b/source/lexbor/url/url.c |
| 21 | +@@ -499,6 +499,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ |
| 22 | + if (tmp == NULL) { \ |
| 23 | + return NULL; \ |
| 24 | + } \ |
| 25 | ++ memcpy(tmp, (sbuf_begin), offset); \ |
| 26 | + } \ |
| 27 | + else { \ |
| 28 | + tmp = lexbor_realloc((sbuf_begin), new_len); \ |
| 29 | +@@ -509,7 +510,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ |
| 30 | + } \ |
| 31 | + \ |
| 32 | + (sbuf) = tmp + offset; \ |
| 33 | +- (last) = sbuf + lst; \ |
| 34 | ++ (last) = tmp + lst; \ |
| 35 | + (sbuf_begin) = tmp; \ |
| 36 | + (sbuf_end) = tmp + new_len; \ |
| 37 | + } \ |
0 commit comments