Re: [PATCH] Issue #1947 Submission #4 svn_path_uri_decode may copy garbage and overrun buffer when given partial % escape

Branko Čibej wrote:

> [...] macros that evaluate the argument more than once are evil.

Ow. That naïve macro of mine was asking for more trouble than there was
before.

> [...]
> Just fix the patch and I'll apply it. :-)

Yessir! :-)

/Klaus

[[[
Check that the two characters following the % escape are valid hex digits. This serves to check for premature end of input as well.

Fixes Issue #1947 svn_path_uri_decode may copy garbage and overrun buffer when given partial % escape.

* subversion/libsvn_subr/path.c
  (svn_path_uri_decode): Check syntax of % escape.

* subversion/tests/libsvn_subr/path-test.c
  (test_uri_decode): New test function.
  (test_funcs): Added test_uri_decode.
]]]

Index: D:/kre/workspace/svn/subversion/libsvn_subr/path.c
===================================================================
--- D:/kre/workspace/svn/subversion/libsvn_subr/path.c (revision 10180)
+++ D:/kre/workspace/svn/subversion/libsvn_subr/path.c (working copy)
@@ -22,6 +22,7 @@
 #include <assert.h>
 
 #include <apr_file_info.h>
+#include <apr_lib.h>
 
 #include "svn_string.h"
 #include "svn_path.h"
@@ -892,7 +893,9 @@
            * RFC 2396, section 3.3 */
           c = ' ';
         }
- else if (c == '%')
+ else if (c == '%'
+ && apr_isxdigit (path[i + 1])
+ && apr_isxdigit (path[i + 2]))
         {
           char digitz[3];
           digitz[0] = path[++i];

Index: D:/kre/workspace/svn/subversion/tests/libsvn_subr/path-test.c
===================================================================
--- D:/kre/workspace/svn/subversion/tests/libsvn_subr/path-test.c (revision 10170)
+++ D:/kre/workspace/svn/subversion/tests/libsvn_subr/path-test.c (working copy)
@@ -292,6 +292,45 @@
 
 
 static svn_error_t *
+test_uri_decode (const char **msg,
+ svn_boolean_t msg_only,
+ apr_pool_t *pool)
+{
+ int i;
+
+ const char *paths[3][2] = {
+ { "http://c.r.a/s%\0008me",
+ "http://c.r.a/s%"},
+ { "http://c.r.a/s%6\000me",
+ "http://c.r.a/s%6" },
+ { "http://c.r.a/s%68me",
+ "http://c.r.a/shme" },
+ };
+
+ *msg = "test svn_path_uri_decode with invalid escape";
+
+ if (msg_only)
+ return SVN_NO_ERROR;
+
+ for (i = 0; i < 3; i++)
+ {
+ const char *de_path;
+
+ /* URI-decode the path, and verify the results. */
+ de_path = svn_path_uri_decode (paths[i][0], pool);
+ if (strcmp (de_path, paths[i][1]))
+ {
+ return svn_error_createf
+ (SVN_ERR_TEST_FAILED, NULL,
+ "svn_path_uri_decode ('%s') returned '%s' instead of '%s'",
+ paths[i][0], de_path, paths[i][1]);
+ }
+ }
+ return SVN_NO_ERROR;
+}
+
+
+static svn_error_t *
 test_join (const char **msg,
            svn_boolean_t msg_only,
            apr_pool_t *pool)
@@ -605,6 +644,7 @@
     SVN_TEST_PASS (test_is_url),
     SVN_TEST_PASS (test_is_uri_safe),
     SVN_TEST_PASS (test_uri_encode),
+ SVN_TEST_PASS (test_uri_decode),
     SVN_TEST_PASS (test_join),
     SVN_TEST_PASS (test_basename),
     SVN_TEST_PASS (test_decompose),

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 8 11:46:04 2004