From 78838d761f9699a6f17107a522c13cb200ae50c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 26 Apr 2018 22:40:11 +0200
Subject: [PATCH] Fix buffer overflow in CSS parser

* src/css-url.c (get_uri_string): Check input length
* fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856:
  Add reproducer corpus

Fixes OSS-Fuzz issue #8033.
This is a long standing bug affecting all versions <= 1.19.4.
---
 .../buffer-overflow-6600180399865856                  |  1 +
 src/css-url.c                                         | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856

diff --git a/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856 b/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856
new file mode 100644
index 00000000..c279a765
--- /dev/null
+++ b/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856
@@ -0,0 +1 @@
+#/*url( */   url()
\ No newline at end of file
diff --git a/src/css-url.c b/src/css-url.c
index 9c851bd3..c4f77613 100644
--- a/src/css-url.c
+++ b/src/css-url.c
@@ -83,8 +83,9 @@ get_uri_string (const char *at, int *pos, int *length)
 
   *pos += 4;
   *length -= 5; /* url() */
+
   /* skip leading space */
-  while (isspace (at[*pos]))
+  while (*length > 0 && isspace (at[*pos]))
     {
       (*pos)++;
       if (--(*length) == 0)
@@ -92,17 +93,21 @@ get_uri_string (const char *at, int *pos, int *length)
     }
 
   /* skip trailing space */
-  while (isspace (at[*pos + *length - 1]))
+  while (*length > 0 && isspace (at[*pos + *length - 1]))
     {
       (*length)--;
     }
+
   /* trim off quotes */
-  if (at[*pos] == '\'' || at[*pos] == '"')
+  if (*length >= 2 && (at[*pos] == '\'' || at[*pos] == '"'))
     {
       (*pos)++;
       *length -= 2;
     }
 
+  if (*length <= 0)
+    return NULL;
+
   return xstrndup (at + *pos, *length);
 }