-
There are two instances in `SoupURI` where `g_ascii_isxdigit()` is called two bytes ahead of the read pointer to check if a %-encoding is valid. This is fine when the string being parsed is nul-terminated (as the first `g_ascii_isxdigit()` call will safely return `FALSE`), but will result in a read off the end of the buffer if it’s length-terminated (and doesn’t happen to also be nul-terminated). Thankfully, that’s not the case in any of the code paths in `SoupURI` leading to these two instances, so this is not a security issue. However, the functions should probably be fixed to do an appropriate length check, just in case they get called from somewhere else in future. Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was fuzzing the new `GUri` implementation in GLib, which is heavily based off this code. Includes two unit tests which don’t actually trigger the original failure (as all strings passed into `SoupURI` are forced to be nul-terminated), but would trigger it if the nul termination was not present. Signed-off-by: Philip Withnall <withnall@endlessm.com>
ab859a8a