Fix buffer overflow in CSS parser

* src/css-url.c (get_urls_css): Check input string length * fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240: Add reproducer corpus Fixes OSS-Fuzz issue #8032. This is a long standing bug affecting all versions <= 1.19.4.
2025-01-14 22:30:44 +08:00 · 2018-04-26 21:25:02 +02:00 · 2018-04-26 21:25:02 +02:00 · cb47f3aaa4
commit cb47f3aaa4
parent acfd9b4d56
2 changed files with 4 additions and 1 deletions
--- a/fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240
+++ b/fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240
@ -0,0 +1 @@
+@import
--- a/src/css-url.c
+++ b/src/css-url.c
@ -143,7 +143,7 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length)
                {
                  uri = get_uri_string (ctx->text, &pos, &length);
                }
-              else
+              else if (length >= 2)
                {
                  /* cut out quote characters */
                  pos++;
@ -152,6 +152,8 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length)
                  memcpy (uri, yytext + 1, length);
                  uri[length] = '\0';
                }
+              else
+                uri = NULL;

              if (uri)
                {