github-repos/wget
1
0
Fork 0
mirror of https://github.com/mirror/wget.git synced 2025-01-27 12:50:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow in CSS parser

Browse Source 
* src/css-url.c (get_uri_string): Check input length
* fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856:
  Add reproducer corpus

Fixes OSS-Fuzz issue #8033.
This is a long standing bug affecting all versions <= 1.19.4.
This commit is contained in:
Tim Rühsen 2018-04-26 22:40:11 +02:00
parent cb47f3aaa4
commit 78838d761f
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856 Normal file
View File

@ -0,0 +1 @@
#/*url( */ url()

11
src/css-url.c
View File

@ -83,8 +83,9 @@ get_uri_string (const char *at, int *pos, int *length)
*pos += 4; *pos += 4;
*length -= 5; /* url() */ *length -= 5; /* url() */
/* skip leading space */ /* skip leading space */
while (isspace (at[*pos])) while (*length > 0 && isspace (at[*pos]))
{ {
(*pos)++; (*pos)++;
if (--(*length) == 0) if (--(*length) == 0)
@ -92,17 +93,21 @@ get_uri_string (const char *at, int *pos, int *length)
} }
/* skip trailing space */ /* skip trailing space */
while (isspace (at[*pos + *length - 1])) while (*length > 0 && isspace (at[*pos + *length - 1]))
{ {
(*length)--; (*length)--;
} }
/* trim off quotes */ /* trim off quotes */
if (at[*pos] == '\'' || at[*pos] == '"') if (*length >= 2 && (at[*pos] == '\'' || at[*pos] == '"'))
{ {
(*pos)++; (*pos)++;
*length -= 2; *length -= 2;
} }
if (*length <= 0)
return NULL;
return xstrndup (at + *pos, *length); return xstrndup (at + *pos, *length);
} }