From: Mark Ellzey Date: Sun, 14 Aug 2016 21:00:02 +0000 (-0700) Subject: pointer overflow checks for evhttp_uriencode X-Git-Tag: release-2.1.6-beta~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=72afe4c93b180be7812fd3841262e039d62f2010;p=libevent pointer overflow checks for evhttp_uriencode Check to make sure pointer math is all OK. --- diff --git a/http.c b/http.c index d3c79f82..c822e35f 100644 --- a/http.c +++ b/http.c @@ -3073,14 +3073,33 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus) struct evbuffer *buf = evbuffer_new(); const char *p, *end; char *result; + ev_ssize_t c_len = len; - if (buf == NULL) + if (buf == NULL) { return (NULL); + } - if (len >= 0) - end = uri+len; - else - end = uri+strlen(uri); + + if (len >= 0 && uri + len < uri) { + if (uri + len < uri) { + return (NULL); + } + + end = uri + len; + } else { + size_t slen = strlen(uri); + + if (slen >= EV_SSIZE_MAX) { + /* we don't want to mix signed and unsigned */ + return (NULL); + } + + if (uri + slen < uri) { + return (NULL); + } + + end = uri + slen; + } for (p = uri; p < end; p++) { if (CHAR_IS_UNRESERVED(*p)) { @@ -3091,10 +3110,13 @@ evhttp_uriencode(const char *uri, ev_ssize_t len, int space_as_plus) evbuffer_add_printf(buf, "%%%02X", (unsigned char)(*p)); } } + evbuffer_add(buf, "", 1); /* NUL-terminator. */ result = mm_malloc(evbuffer_get_length(buf)); + if (result) evbuffer_remove(buf, result, evbuffer_get_length(buf)); + evbuffer_free(buf); return (result);