-
Philip Withnall authored
There is a limited (1 or 2 byte) read off the end of the buffer if its final or penultimate byte is `%` and it’s not nul-terminated after that. If the buffer *is* nul-terminated then the first `g_ascii_isxdigit()` call safely returns `FALSE` and the code moves on. Fix it by adding an additional check, and some unit tests to catch the behaviour. This bug is present in libsoup, which `GUri` is based on, but not exploitable due to how the external API only exposes nul-terminated strings. See libsoup!126 for the fix there. oss-fuzz#23815 oss-fuzz#23818 Signed-off-by: Philip Withnall <withnall@endlessm.com>
f9d165ad