url_decode_internal could have been tricked into reading past the length
of the **query buffer if there are fewer than 2 characters after a % (in
a null-terminated string, % would have to be the last character).
Prevent this from happening by checking len before decoding the %
sequence.

Signed-off-by: Matthew DeVore <matv...@google.com>
---
 url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/url.c b/url.c
index 25576c390b..c0bb4e23c3 100644
--- a/url.c
+++ b/url.c
@@ -39,21 +39,21 @@ static char *url_decode_internal(const char **query, int 
len,
                unsigned char c = *q;
 
                if (!c)
                        break;
                if (stop_at && strchr(stop_at, c)) {
                        q++;
                        len--;
                        break;
                }
 
-               if (c == '%') {
+               if (c == '%' && len >= 3) {
                        int val = hex2chr(q + 1);
                        if (0 <= val) {
                                strbuf_addch(out, val);
                                q += 3;
                                len -= 3;
                                continue;
                        }
                }
 
                if (decode_plus && c == '+')
-- 
2.17.1

Reply via email to