pike.git/
src/
modules/
_Roxen/
roxen.c
Branch:
Tag:
Non-build tags
All tags
No tags
2014-10-16
2014-10-16 16:39:33 by Arne Goedeke <el@laramies.com>
6812791f06336a05876b03964dc81e73fe35cc16 (
34
lines) (+
20
/-
14
)
[
Show
|
Annotate
]
Branch:
8.1
_Roxen.http_decode_string: do not overflow
400:
* * proc counts the number of characters that are to be removed. */
-
for (; COMPARE_PCHARP(foo, <, end);
INC_PCHARP(foo, 1
)
)
{
-
p_wchar2 c =
INDEX
_PCHARP(foo,
0
);
-
if (c =
=
'%')
{
-
c
=
INDEX
_PCHARP(
foo
, 1);
+
for (; COMPARE_PCHARP(foo, <, end);) {
+
p_wchar2 c =
EXTRACT
_PCHARP(foo
);
+
INC_PCHARP(foo
,
1
);
+
if (c
!
= '%')
continue;
+
/*
there
are
at
least 2 more characters */
+
if (SUBTRACT
_PCHARP(
end
,
foo) <=
1)
+
Pike_error("Truncated http transport encoded string.\n")
;
+
c = EXTRACT_PCHARP(foo);
if (c == 'u' || c == 'U') {
-
+
if (SUBTRACT_PCHARP(end, foo) <= 4)
+
Pike_error("Truncated unicode sequence.\n");
/* %uXXXX */
-
if (
INDEX
_PCHARP(foo
, 2
) != '0' || INDEX_PCHARP(foo,
3
) != '0') {
+
if (
EXTRACT
_PCHARP(foo) != '0' || INDEX_PCHARP(foo,
1
) != '0') {
if (!size_shift) size_shift = 1; } proc += 5;
416:
INC_PCHARP(foo, 2); } }
-
}
+
if (!proc) { pop_n_elems(args-1); return; }