From cb47f3aaa4591b3a7f20fd30019fc4d81ecb4f4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Thu, 26 Apr 2018 21:25:02 +0200 Subject: [PATCH] Fix buffer overflow in CSS parser * src/css-url.c (get_urls_css): Check input string length * fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240: Add reproducer corpus Fixes OSS-Fuzz issue #8032. This is a long standing bug affecting all versions <= 1.19.4. --- .../negative-size-param-5724866467594240 | 1 + src/css-url.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240 diff --git a/fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240 b/fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240 new file mode 100644 index 00000000..db585a9f --- /dev/null +++ b/fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240 @@ -0,0 +1 @@ +@import \ No newline at end of file diff --git a/src/css-url.c b/src/css-url.c index 1d62ec65..9c851bd3 100644 --- a/src/css-url.c +++ b/src/css-url.c @@ -143,7 +143,7 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length) { uri = get_uri_string (ctx->text, &pos, &length); } - else + else if (length >= 2) { /* cut out quote characters */ pos++; @@ -152,6 +152,8 @@ get_urls_css (struct map_context *ctx, int offset, int buf_length) memcpy (uri, yytext + 1, length); uri[length] = '\0'; } + else + uri = NULL; if (uri) {