storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check for end of string when parsing Gopher URLs

Browse Source 
This fixes issue #199 reported by Kuang-che Wu.

A specially crafted Gopher URL (e.g. '<a href=gopher:R>') could lead to
an out-of-bounds read.

Problem here was, that 'p' was incremented twice without checking for
the end of the string.

The interesting question for me is: What does this 'if' actually check?
What is special here about the 'R'? I did not find anything related in
RFC 1436 or in RFC 4266.
This commit is contained in:
Rene Kita
2021-10-11 15:12:19 +02:00
parent 53d323453d
commit ba29eb3fcf
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
url.c
View File

@@ -978,7 +978,10 @@ parseURL(char *url, ParsedURL *p_url, ParsedURL *current)
} }
#ifdef USE_GOPHER #ifdef USE_GOPHER
if (p_url->scheme == SCM_GOPHER && *p == 'R') { if (p_url->scheme == SCM_GOPHER && *p == 'R') {
p++; if (!*++p) {
p_url->file = "";
goto do_query;
}
tmp = Strnew(); tmp = Strnew();
Strcat_char(tmp, *(p++)); Strcat_char(tmp, *(p++));
while (*p && *p != '/') while (*p && *p != '/')