Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix uriParse*Ex* out-of-bounds read
  • Loading branch information
hartwork committed Dec 8, 2018
1 parent 499214c commit cef2502
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 0 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
Expand Up @@ -4,6 +4,12 @@ NOTE: uriparser is looking for help with a few things:

201x-xx-xx -- x.x.x

* Fixed:
Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6
addresses with embedded IPv4 address, e.g. "//[::44.1";
mitigated if passed parameter <afterLast> points to readable memory
containing a '\0' byte.
Thanks to Joergen Ibsen for the report!
* Fixed: uriToStringCharsRequired* reported 1 more byte than actually needed
for IPv4 address URIs (GitHub #41); Thanks to @gyh007 for the patch!
* Fixed: Compilation with MinGW
Expand Down
5 changes: 5 additions & 0 deletions src/UriParse.c
Expand Up @@ -692,6 +692,11 @@ static const URI_CHAR * URI_FUNC(ParseIPv6address2)(
return NULL;
}
first++;

if (first >= afterLast) {
URI_FUNC(StopSyntax)(state, first, memory);
return NULL;
}
}
} else {
/* Eat while no dot in sight */
Expand Down
13 changes: 13 additions & 0 deletions test/test.cpp
Expand Up @@ -242,6 +242,19 @@ TEST(UriSuite, TestIpSixFail) {
URI_TEST_IP_SIX_FAIL("g:0:0:0:0:0:0");
}

TEST(UriSuite, TestIpSixOverread) {
UriUriA uri;
const char * errorPos;

// NOTE: This string is designed to not have a terminator
char uriText[2 + 3 + 2 + 1 + 1];
strncpy(uriText, "//[::44.1", sizeof(uriText));

EXPECT_EQ(uriParseSingleUriExA(&uri, uriText,
uriText + sizeof(uriText), &errorPos), URI_ERROR_SYNTAX);
EXPECT_EQ(errorPos, uriText + sizeof(uriText));
}

TEST(UriSuite, TestUri) {
UriParserStateA stateA;
UriParserStateW stateW;
Expand Down

0 comments on commit cef2502

Please sign in to comment.