soup-uri: Check string lengths before reading bytes of %-encoded chars

There are two instances in SoupURI where g_ascii_isxdigit() is called two bytes ahead of the read pointer to check if a %-encoding is valid. This is fine when the string being parsed is nul-terminated (as the first g_ascii_isxdigit() call will safely return FALSE), but will result in a read off the end of the buffer if it’s length-terminated (and doesn’t happen to also be nul-terminated).

Thankfully, that’s not the case in any of the code paths in SoupURI leading to these two instances, so this is not a security issue.

However, the functions should probably be fixed to do an appropriate length check, just in case they get called from somewhere else in future.

Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was fuzzing the new GUri implementation in GLib, which is heavily based off this code.

Includes two unit tests which don’t actually trigger the original failure (as all strings passed into SoupURI are forced to be nul-terminated), but would trigger it if the nul termination was not present.

Signed-off-by: Philip Withnall withnall@endlessm.com