Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
all
-
None
Description
File libsvn_subr/path.c r10145 line 874: when checking for a % escape code in url to be decoded, the two following digits are copied from the input without checking if input ends in the middle. The result is that trailing garbage (including the \0) is copied along. Because the string buffer size is only set at the beginning to worst case assumption, it is not grown accordingly and will be overrun in that situation. Check should be else if (c == '%' && path[i + 1] && path[i + 2])
http://www.contactor.se/~dast/svn/archive-2004-07/0167.shtml
Original issue reported by kre