soup-uri: Check string lengths before reading bytes of %-encoded chars
There are two instances in SoupURI
where g_ascii_isxdigit()
is
called two bytes ahead of the read pointer to check if a %-encoding is
valid. This is fine when the string being parsed is nul-terminated (as
the first g_ascii_isxdigit()
call will safely return FALSE
), but
will result in a read off the end of the buffer if it’s
length-terminated (and doesn’t happen to also be nul-terminated).
Thankfully, that’s not the case in any of the code paths in SoupURI
leading to these two instances, so this is not a security issue.
However, the functions should probably be fixed to do an appropriate length check, just in case they get called from somewhere else in future.
Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was
fuzzing the new GUri
implementation in GLib, which is heavily based
off this code.
Includes two unit tests which don’t actually trigger the original
failure (as all strings passed into SoupURI
are forced to be
nul-terminated), but would trigger it if the nul termination was not
present.
Signed-off-by: Philip Withnall withnall@endlessm.com