Fix urldecode buffer overrun.

Reported by: Duncan Overbruck Security: CVE-2020-7450
author: Gordon Tetlow <gordon@FreeBSD.org> 2020-01-28 18:37:18 +0000
committer: Gordon Tetlow <gordon@FreeBSD.org> 2020-01-28 18:37:18 +0000
commit: 6fb3f9944faefa41b322b5e1bc0d280b4005ca44 (patch)
tree: cd445a8b6f5ebdc0a60e5e1ab4922ddbf98fac9f /lib/libfetch
parent: 95e6640be2eaed01e9186f1a437b5863b851285d (diff)
download: src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.tar.gz
src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/libfetch/fetch.c b/lib/libfetch/fetch.c
index b3ed702b3185c..9eec0730fa7df 100644
--- a/lib/libfetch/fetch.c
+++ b/lib/libfetch/fetch.c
@@ -332,6 +332,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
 		}
 		if (dlen-- > 0)
 			*dst++ = c;
+		else
+			return (NULL);
 	}
 	return (s);
 }
@@ -381,11 +383,15 @@ fetchParseURL(const char *URL)
 	if (p && *p == '@') {
 		/* username */
 		q = fetch_pctdecode(u->user, URL, URL_USERLEN);
+		if (q == NULL)
+			goto ouch;
 
 		/* password */
-		if (*q == ':')
+		if (*q == ':') {
 			q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN);
-
+			if (q == NULL)
+				goto ouch;
+		}
 		p++;
 	} else {
 		p = URL;
author	Gordon Tetlow <gordon@FreeBSD.org>	2020-01-28 18:37:18 +0000
committer	Gordon Tetlow <gordon@FreeBSD.org>	2020-01-28 18:37:18 +0000
commit	6fb3f9944faefa41b322b5e1bc0d280b4005ca44 (patch)
tree	cd445a8b6f5ebdc0a60e5e1ab4922ddbf98fac9f /lib/libfetch
parent	95e6640be2eaed01e9186f1a437b5863b851285d (diff)
download	src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.tar.gz src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.zip