From 07c8a6f056bcd8c310a2eb4f83964b2d22c6c141 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 6 Oct 2021 15:15:20 -0400
Subject: [PATCH] [core] bounds check while url-decoding

(thx helmut)

do not read-ahead past '\0' while url-decoding

lighttpd 1.4.60 could previously have read one byte of potentially
uninitialized data.  lighttpd detects the '\0' so there is no exposure
of data.  This also can not cause a crash in lighttpd 1.4.60 due to how
lighttpd 1.4.60 allocates memory for buffers in sizes (power-2 + 1),
and typical system malloc alignment of 4- or 8- bytes.
---
 src/buffer.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 15ae282e..f247cbe5 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -753,9 +753,9 @@ void buffer_urldecode_path(buffer * const b) {
     char *dst = src;
     do {
         /* *src == '%' */
-        unsigned char high = hex2int(*(src + 1));
-        unsigned char low = hex2int(*(src + 2));
-        if (0xFF != high && 0xFF != low) {
+        unsigned char high = ((unsigned char *)src)[1];
+        unsigned char low = high ? hex2int(((unsigned char *)src)[2]) : 0xFF;
+        if (0xFF != (high = hex2int(high)) && 0xFF != low) {
             high = (high << 4) | low;   /* map ctrls to '_' */
             *dst = (high >= 32 && high != 127) ? high : '_';
             src += 2;