Merge pull request #784 from ennorehling/develop

fix str_escape read overflow
2018-05-27 15:22:49 +02:00 · 2018-05-27 15:22:49 +02:00 · 82f2aa0d52
parent ef7ee57893 034872c44e
commit 82f2aa0d52
2 changed files with 25 additions and 2 deletions
--- a/src/util/strings.c
+++ b/src/util/strings.c
@ -312,10 +312,13 @@ char *str_unescape(char *str) {

 const char *str_escape_ex(const char *str, char *buffer, size_t size, const char *chars)
 {
+    size_t slen = strlen(str);
    const char *read = str;
    char *write = buffer;
-    if (size < 1) return NULL;
-    while (size > 1 && *read) {
+    if (size < 1) {
+        return NULL;
+    }
+    while (slen > 0 && size > 1 && *read) {
        const char *pos = strpbrk(read, chars);
        size_t len = size;
        if (pos) {
@ -324,7 +327,11 @@ const char *str_escape_ex(const char *str, char *buffer, size_t size, const char
        if (len < size) {
            unsigned char ch = *(const unsigned char *)pos;
            if (len > 0) {
+                if (len > slen) {
+                    len = slen;
+                }
                memmove(write, read, len);
+                slen -= len;
                write += len;
                read += len;
                size -= len;
@ -376,13 +383,18 @@ const char *str_escape_ex(const char *str, char *buffer, size_t size, const char
                else size = 1;
            }
            ++read;
+            --slen;
        } else {
            /* end of buffer space */
            len = size - 1;
            if (len > 0) {
+                if (len > slen) {
+                    len = slen;
+                }
                memmove(write, read, len);
                write += len;
                size -= len;
+                slen -= len;
                break;
            }
        }
--- a/src/util/strings.test.c
+++ b/src/util/strings.test.c
@ -22,6 +22,16 @@ static void test_str_unescape(CuTest * tc)
    CuAssertStrEquals(tc, "\"\\\n\t\ra", scratch);
 }

+static void test_str_escape_ex(CuTest * tc)
+{
+    char scratch[16];
+
+    CuAssertPtrEquals(tc, NULL, (void *)str_escape_ex("1234", scratch, 0, "\\\""));
+    memset(scratch, 0, sizeof(scratch));
+    CuAssertStrEquals(tc, "1234", (void *)str_escape_ex("1234\000abcd", scratch, 16, "\\\""));
+    CuAssertIntEquals(tc, 0, scratch[5]);
+}
+
 static void test_str_escape(CuTest * tc)
 {
    char scratch[16];
@ -149,6 +159,7 @@ CuSuite *get_strings_suite(void)
    CuSuite *suite = CuSuiteNew();
    SUITE_ADD_TEST(suite, test_str_hash);
    SUITE_ADD_TEST(suite, test_str_escape);
+    SUITE_ADD_TEST(suite, test_str_escape_ex);
    SUITE_ADD_TEST(suite, test_str_unescape);
    SUITE_ADD_TEST(suite, test_str_replace);
    SUITE_ADD_TEST(suite, test_str_slprintf);