From fbf1ccee45b288eda345b9590ec1c403667f61d1 Mon Sep 17 00:00:00 2001
From: Sergey Lyubka <valenok@gmail.com>
Date: Sat, 16 Feb 2013 14:31:37 +0000
Subject: [PATCH] Fix out-of-bounds acces in url_decode()

---
 mongoose.c       |  2 +-
 test/unit_test.c | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/mongoose.c b/mongoose.c
index 5d7d31b68..e4491e879 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -1646,7 +1646,7 @@ static int url_decode(const char *src, int src_len, char *dst,
 #define HEXTOI(x) (isdigit(x) ? x - '0' : x - 'W')
 
   for (i = j = 0; i < src_len && j < dst_len - 1; i++, j++) {
-    if (src[i] == '%' &&
+    if (src[i] == '%' && i < src_len - 2 &&
         isxdigit(* (const unsigned char *) (src + i + 1)) &&
         isxdigit(* (const unsigned char *) (src + i + 2))) {
       a = tolower(* (const unsigned char *) (src + i + 1));
diff --git a/test/unit_test.c b/test/unit_test.c
index 1d9a9b7b7..575cf3724 100644
--- a/test/unit_test.c
+++ b/test/unit_test.c
@@ -583,10 +583,21 @@ static void test_url_decode(void) {
   ASSERT(url_decode("foo", 3, buf, 3, 0) == -1);  // No space for terminating \0
   ASSERT(url_decode("foo", 3, buf, 4, 0) == 3);
   ASSERT(strcmp(buf, "foo") == 0);
+
   ASSERT(url_decode("a+", 2, buf, sizeof(buf), 0) == 2);
   ASSERT(strcmp(buf, "a+") == 0);
+
   ASSERT(url_decode("a+", 2, buf, sizeof(buf), 1) == 2);
   ASSERT(strcmp(buf, "a ") == 0);
+
+  ASSERT(url_decode("%61", 1, buf, sizeof(buf), 1) == 1);
+  ASSERT(strcmp(buf, "%") == 0);
+
+  ASSERT(url_decode("%61", 2, buf, sizeof(buf), 1) == 2);
+  ASSERT(strcmp(buf, "%6") == 0);
+
+  ASSERT(url_decode("%61", 3, buf, sizeof(buf), 1) == 1);
+  ASSERT(strcmp(buf, "a") == 0);
 }
 
 static void test_mg_strcasestr(void) {
-- 
GitLab