Skip to content
Permalink
Browse files Browse the repository at this point in the history
UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
Reported by Google Autofuzz team
  • Loading branch information
hartwork committed Sep 23, 2018
1 parent f7230d6 commit 864f5d4
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/UriQuery.c
Expand Up @@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,

/* Copy key */
if (firstItem == URI_TRUE) {
ampersandLen = 1;
firstItem = URI_FALSE;
} else {
write[0] = _UT('&');
Expand Down
32 changes: 32 additions & 0 deletions test/test.cpp
Expand Up @@ -104,6 +104,7 @@ class UriSuite : public Suite {
TEST_ADD(UriSuite::testQueryList)
TEST_ADD(UriSuite::testQueryListPair)
TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
TEST_ADD(UriSuite::testParseInvalid_Bug16)
TEST_ADD(UriSuite::testRangeComparison)
Expand Down Expand Up @@ -1749,6 +1750,37 @@ Rule | Example | hostSet | absPath | emptySeg
uriFreeQueryListA(queryList);
}

void testQueryCompositionMathWrite_GoogleAutofuzz113244572() {
UriQueryListA second = { .key = "\x11", .value = NULL, .next = NULL };
UriQueryListA first = { .key = "\x01", .value = "\x02", .next = &second };

const UriBool spaceToPlus = URI_TRUE;
const UriBool normalizeBreaks = URI_FALSE; /* for factor 3 but 6 */

const int charsRequired = (3 + 1 + 3) + 1 + (3);

{
// Minimum space to hold everything fine
const char * const expected = "%01=%02" "&" "%11";
char dest[charsRequired + 1];
int charsWritten;
TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
&charsWritten, spaceToPlus, normalizeBreaks)
== URI_SUCCESS);
TEST_ASSERT(! strcmp(dest, expected));
TEST_ASSERT(charsWritten == strlen(expected) + 1);
}

{
// Previous math failed to take ampersand into account
char dest[charsRequired + 1 - 1];
int charsWritten;
TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
&charsWritten, spaceToPlus, normalizeBreaks)
== URI_ERROR_OUTPUT_TOO_LARGE);
}
}

void testFreeCrash_Bug20080827() {
char const * const sourceUri = "abc";
char const * const baseUri = "http://www.example.org/";
Expand Down

0 comments on commit 864f5d4

Please sign in to comment.