Permalink
Browse files

UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex

  • Loading branch information...
hartwork committed Sep 23, 2018
1 parent 3d3e5e4 commit f76275d4a91b28d687250525d3a0c5509bbd666f
Showing with 14 additions and 2 deletions.
  1. +2 −0 ChangeLog
  2. +12 −2 src/UriQuery.c
@@ -4,6 +4,8 @@
Thanks to Google Autofuzz team for the report!
* Fixed: Fix off-by-one in uriComposeQueryCharsRequired* and ...Ex*
Reported space requirements were 1 byte bigger than necessary
* Fixed: Detect integer overflow in uriComposeQuery* and uriComposeQueryEx*
Thanks to Google Autofuzz team for the report!
* TODO BUMP SONAME

2018-08-18 -- 0.8.6
@@ -68,6 +68,10 @@



#include <limits.h>



static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
const URI_TYPE(QueryList) * queryList,
int maxChars, int * charsWritten, int * charsRequired,
@@ -201,9 +205,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
const URI_CHAR * const value = queryList->value;
const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
const int keyRequiredChars = worstCase * keyLen;
int keyRequiredChars;
const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
const int valueRequiredChars = worstCase * valueLen;
int valueRequiredChars;

if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
return URI_ERROR_OUTPUT_TOO_LARGE;
}
keyRequiredChars = worstCase * keyLen;
valueRequiredChars = worstCase * valueLen;

if (dest == NULL) {
(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)

0 comments on commit f76275d

Please sign in to comment.