url: do not read past end of buffer

url_decode_internal could have been tricked into reading past the length of the **query buffer if there are fewer than 2 characters after a % (in a null-terminated string, % would have to be the last character). Prevent this from happening by checking len before decoding the % sequence. Helped-by: René Scharfe <l.s.r@web.de> Signed-off-by: Matthew DeVore <matvore@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Matthew DeVore <matvore@google.com> 2019-06-04 10:57:04 -0700
committer: Junio C Hamano <gitster@pobox.com> 2019-06-04 14:48:06 -0700
commit: 3f6b8a6177f3197ddad82a6da2ff9b4704664f5d (patch)
tree: a70f26379a9a1b3abcb2c616620cce994c7450df
parent: mingw: allow building with an MSYS2 runtime v3.x (diff)
download: tgif-3f6b8a6177f3197ddad82a6da2ff9b4704664f5d.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/url.c b/url.c
index 25576c390b..9ea9d5611b 100644
--- a/url.c
+++ b/url.c
@@ -46,7 +46,7 @@ static char *url_decode_internal(const char **query, int len,
 			break;
 		}
 
-		if (c == '%') {
+		if (c == '%' && (len < 0 || len >= 3)) {
 			int val = hex2chr(q + 1);
 			if (0 <= val) {
 				strbuf_addch(out, val);
author	Matthew DeVore <matvore@google.com>	2019-06-04 10:57:04 -0700
committer	Junio C Hamano <gitster@pobox.com>	2019-06-04 14:48:06 -0700
commit	3f6b8a6177f3197ddad82a6da2ff9b4704664f5d (patch)
tree	a70f26379a9a1b3abcb2c616620cce994c7450df
parent	mingw: allow building with an MSYS2 runtime v3.x (diff)
download	tgif-3f6b8a6177f3197ddad82a6da2ff9b4704664f5d.tar.xz