[SVN-1947] svn_path_uri_decode may copy garbage and overrun buffer when given partial % escape - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: all
Fix Version/s: 1.1-consider
Component/s: libsvn_subr
Labels:
None

Description

File libsvn_subr/path.c r10145 line 874: when checking for a % escape code in
url to be decoded, the two following digits are copied from the input without
checking if input ends in the middle.

The result is that trailing garbage (including the \0) is copied along. Because
the string buffer size is only set at the beginning to worst case assumption, it
is not grown accordingly and will be overrun in that situation.

Check should be

      else if (c == '%' && path[i + 1] && path[i + 2])

http://www.contactor.se/~dast/svn/archive-2004-07/0167.shtml

Original issue reported by kre

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

1_path.c_r10145_issue1947.patch
05/Jul/04 21:21
0.5 kB
Subversion Importer
2_path-test.c_r10145_issue1947.patch
05/Jul/04 22:25
2 kB
Subversion Importer
3_path.c_r10145_issue1947_2.patch
07/Jul/04 04:08
0.7 kB
Subversion Importer

Activity

People

Assignee:: Unassigned

Reporter:: Subversion Importer

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 05/Jul/04 21:16

Updated:: 27/Oct/18 16:39

Resolved:: 15/Sep/04 08:43