github-repos/wget
1
0
Fork 0
mirror of https://github.com/mirror/wget.git synced 2025-01-26 12:20:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow in CSS parser

Browse Source 
* src/css-url.c (get_uri_string): Check input length
* fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856:
  Add reproducer corpus

Fixes OSS-Fuzz issue #8033.
This is a long standing bug affecting all versions <= 1.19.4.
This commit is contained in:
Tim Rühsen 2018-04-26 22:40:11 +02:00
parent cb47f3aaa4
commit 78838d761f
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856 Normal file
View File

@ -0,0 +1 @@
#/*url( */ url()

11
src/css-url.c
View File

@ -83,8 +83,9 @@ get_uri_string (const char *at, int *pos, int *length)
*pos += 4;
*length -= 5; /* url() */
/* skip leading space */
while (isspace (at[*pos]))
while (*length > 0 && isspace (at[*pos]))
{
(*pos)++;
if (--(*length) == 0)
@ -92,17 +93,21 @@ get_uri_string (const char *at, int *pos, int *length)
}
/* skip trailing space */
while (isspace (at[*pos + *length - 1]))
while (*length > 0 && isspace (at[*pos + *length - 1]))
{
(*length)--;
}
/* trim off quotes */
if (at[*pos] == '\'' || at[*pos] == '"')
if (*length >= 2 && (at[*pos] == '\'' || at[*pos] == '"'))
{
(*pos)++;
*length -= 2;
}
if (*length <= 0)
return NULL;
return xstrndup (at + *pos, *length);
}