From ba29eb3fcfa1fbea09ac489291900572cad5f939 Mon Sep 17 00:00:00 2001 From: Rene Kita Date: Mon, 11 Oct 2021 15:12:19 +0200 Subject: [PATCH] Check for end of string when parsing Gopher URLs This fixes issue #199 reported by Kuang-che Wu. A specially crafted Gopher URL (e.g. '') could lead to an out-of-bounds read. Problem here was, that 'p' was incremented twice without checking for the end of the string. The interesting question for me is: What does this 'if' actually check? What is special here about the 'R'? I did not find anything related in RFC 1436 or in RFC 4266. --- url.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/url.c b/url.c index 1fbda17..07f3ea0 100644 --- a/url.c +++ b/url.c @@ -978,7 +978,10 @@ parseURL(char *url, ParsedURL *p_url, ParsedURL *current) } #ifdef USE_GOPHER if (p_url->scheme == SCM_GOPHER && *p == 'R') { - p++; + if (!*++p) { + p_url->file = ""; + goto do_query; + } tmp = Strnew(); Strcat_char(tmp, *(p++)); while (*p && *p != '/')