Fix heap buffer overflow (etr#215)

etr · web-flow · commit ec973dc883b0 · 2020-12-11T14:07:51.000-08:00
* Fix potential issue with heap buffer overflow.

Thanks to sgbhat2 for fuzztesting the library and finding out.

* Added unit test to cover new codepath in unescaping
diff --git a/src/http_utils.cpp b/src/http_utils.cpp
@@ -33,6 +33,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <ctype.h>
 #include <fstream>
 #include <iomanip>
 #include <iterator>
@@ -304,12 +305,13 @@ size_t http_unescape(std::string& val)
 {
     if (val.empty()) return 0;
 
-    int rpos = 0;
-    int wpos = 0;
+    unsigned int rpos = 0;
+    unsigned int wpos = 0;
 
     unsigned int num;
+    unsigned int size = val.size();
 
-    while ('\0' != val[rpos])
+    while (rpos < size && val[rpos] != '\0')
     {
         switch (val[rpos])
         {
@@ -319,8 +321,8 @@ size_t http_unescape(std::string& val)
                 rpos++;
                 break;
             case '%':
-                if ( (1 == sscanf (val.substr(rpos + 1).c_str(), "%2x", &num)) ||
-                    (1 == sscanf (val.substr(rpos + 1).c_str(), "%2X", &num))
+                if (size > rpos + 2 && ((1 == sscanf (val.substr(rpos + 1, 2).c_str(), "%2x", &num)) ||
+                    (1 == sscanf (val.substr(rpos + 1, 2).c_str(), "%2X", &num)))
                 )
                 {
                     val[wpos] = (unsigned char) num;
diff --git a/test/unit/http_utils_test.cpp b/test/unit/http_utils_test.cpp
@@ -67,7 +67,7 @@ LT_BEGIN_AUTO_TEST(http_utils_suite, unescape)
 LT_END_AUTO_TEST(unescape)
 
 LT_BEGIN_AUTO_TEST(http_utils_suite, unescape_plus)
-    char* with_plus = (char*) malloc(6 * sizeof(char));
+    char* with_plus = (char*) malloc(4 * sizeof(char));
     sprintf(with_plus, "%s", "A+B");
     std::string string_with_plus = with_plus;
     int expected_size = http::http_unescape(string_with_plus);
@@ -82,6 +82,22 @@ LT_BEGIN_AUTO_TEST(http_utils_suite, unescape_plus)
     free(expected);
 LT_END_AUTO_TEST(unescape_plus)
 
+LT_BEGIN_AUTO_TEST(http_utils_suite, unescape_partial_marker)
+    char* with_marker = (char*) malloc(6 * sizeof(char));
+    sprintf(with_marker, "%s", "A+B%0");
+    std::string string_with_marker = with_marker;
+    int expected_size = http::http_unescape(string_with_marker);
+
+    char* expected = (char*) malloc(6 * sizeof(char));
+    sprintf(expected, "%s", "A B%0");
+
+    LT_CHECK_EQ(string_with_marker, string(expected));
+    LT_CHECK_EQ(expected_size, 5);
+
+    free(with_marker);
+    free(expected);
+LT_END_AUTO_TEST(unescape_partial_marker)
+
 LT_BEGIN_AUTO_TEST(http_utils_suite, tokenize_url)
     string value = "test/this/url/here";
     string expected_arr[] = { "test", "this", "url", "here" };
