soup-uri: Check string lengths before reading bytes of %-encoded chars
There are two instances in
called two bytes ahead of the read pointer to check if a %-encoding is
valid. This is fine when the string being parsed is nul-terminated (as
g_ascii_isxdigit() call will safely return
will result in a read off the end of the buffer if it’s
length-terminated (and doesn’t happen to also be nul-terminated).
Thankfully, that’s not the case in any of the code paths in
leading to these two instances, so this is not a security issue.
However, the functions should probably be fixed to do an appropriate length check, just in case they get called from somewhere else in future.
Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was
fuzzing the new
GUri implementation in GLib, which is heavily based
off this code.
Includes two unit tests which don’t actually trigger the original
failure (as all strings passed into
SoupURI are forced to be
nul-terminated), but would trigger it if the nul termination was not
Signed-off-by: Philip Withnall email@example.com