[core] bounds check while url-decoding

(thx helmut) do not read-ahead past '\0' while url-decoding lighttpd 1.4.60 could previously have read one byte of potentially uninitialized data. lighttpd detects the '\0' so there is no exposure of data. This also can not cause a crash in lighttpd 1.4.60 due to how lighttpd 1.4.60 allocates memory for buffers in sizes (power-2 + 1), and typical system malloc alignment of 4- or 8- bytes.
1 year ago · 07c8a6f056
parent 575665ad88
commit 07c8a6f056
1 changed files with 3 additions and 3 deletions
--- a/src/buffer.c
+++ b/src/buffer.c
@ -753,9 +753,9 @@ void buffer_urldecode_path(buffer * const b) {
    char *dst = src;
    do {
        /* *src == '%' */
-        unsigned char high = hex2int(*(src + 1));
-        unsigned char low = hex2int(*(src + 2));
-        if (0xFF != high && 0xFF != low) {
+        unsigned char high = ((unsigned char *)src)[1];
+        unsigned char low = high ? hex2int(((unsigned char *)src)[2]) : 0xFF;
+        if (0xFF != (high = hex2int(high)) && 0xFF != low) {
            high = (high << 4) | low;   /* map ctrls to '_' */
            *dst = (high >= 32 && high != 127) ? high : '_';
            src += 2;