diff options
| author |  Santtu Lakkala | 2025-02-21 17:00:15 +0200 |
|---|---|---|
| committer |  Santtu Lakkala | 2025-02-21 17:03:49 +0200 |
| commit | e761dacee585b797f160aad01d3f0d4db950f0fa (patch) | |
| tree | eee79328fba6165b6878893895d9cbce45eeaa11 | |
| parent | Merge pull request 'Fix uninitialised memory access' (#306) from inz/snac2:un... (diff) | |
| download | snac2-e761dacee585b797f160aad01d3f0d4db950f0fa.tar.gz snac2-e761dacee585b797f160aad01d3f0d4db950f0fa.tar.xz snac2-e761dacee585b797f160aad01d3f0d4db950f0fa.zip | |
Fix memory leak in multipart parsing
Also remove usage of strchr() on non-NUL-terminated buffer.
| -rw-r--r-- | xs_url.h | 20 |
1 files changed, 10 insertions, 10 deletions
| @@ -185,18 +185,16 @@ xs_dict *xs_multipart_form_data(const char *payload, int p_size, const char *hea | |||
| 185 | 185 | ||
| 186 | /* iterate searching the boundaries */ | 186 | /* iterate searching the boundaries */ |
| 187 | while ((p = xs_memmem(payload + offset, p_size - offset, boundary, bsz)) != NULL) { | 187 | while ((p = xs_memmem(payload + offset, p_size - offset, boundary, bsz)) != NULL) { |
| 188 | xs *s1 = NULL; | 188 | xs *vn = NULL; |
| 189 | xs *l1 = NULL; | 189 | xs *fn = NULL; |
| 190 | const char *vn = NULL; | 190 | xs *ct = NULL; |
| 191 | const char *fn = NULL; | ||
| 192 | const char *ct = NULL; | ||
| 193 | char *q; | 191 | char *q; |
| 194 | int po, ps; | 192 | int po, ps; |
| 195 | 193 | ||
| 196 | /* final boundary? */ | 194 | /* final boundary? */ |
| 197 | p += bsz; | 195 | p += bsz; |
| 198 | 196 | ||
| 199 | if (p[0] == '-' && p[1] == '-') | 197 | if ((p - payload) + 2 > p_size || (p[0] == '-' && p[1] == '-')) |
| 200 | break; | 198 | break; |
| 201 | 199 | ||
| 202 | /* skip the \r\n */ | 200 | /* skip the \r\n */ |
| @@ -205,9 +203,11 @@ xs_dict *xs_multipart_form_data(const char *payload, int p_size, const char *hea | |||
| 205 | /* Tokodon sends also a Content-Type headers, | 203 | /* Tokodon sends also a Content-Type headers, |
| 206 | let's use it to determine the file type */ | 204 | let's use it to determine the file type */ |
| 207 | do { | 205 | do { |
| 208 | if (p[0] == 13 && p[1] == 10) | 206 | xs *s1 = NULL; |
| 207 | xs *l1 = NULL; | ||
| 208 | if (p[0] == '\r' && p[1] == '\n') | ||
| 209 | break; | 209 | break; |
| 210 | q = strchr(p, '\r'); | 210 | q = memchr(p, '\r', p_size - (p - payload)); |
| 211 | 211 | ||
| 212 | /* unexpected formatting, fail immediately */ | 212 | /* unexpected formatting, fail immediately */ |
| 213 | if (q == NULL) | 213 | if (q == NULL) |
| @@ -222,12 +222,12 @@ xs_dict *xs_multipart_form_data(const char *payload, int p_size, const char *hea | |||
| 222 | l1 = xs_split(s1, "\""); | 222 | l1 = xs_split(s1, "\""); |
| 223 | 223 | ||
| 224 | /* get the variable name */ | 224 | /* get the variable name */ |
| 225 | vn = xs_list_get(l1, 1); | 225 | vn = xs_dup(xs_list_get(l1, 1)); |
| 226 | 226 | ||
| 227 | /* is it an attached file? */ | 227 | /* is it an attached file? */ |
| 228 | if (xs_list_len(l1) >= 4 && strcmp(xs_list_get(l1, 2), "; filename=") == 0) { | 228 | if (xs_list_len(l1) >= 4 && strcmp(xs_list_get(l1, 2), "; filename=") == 0) { |
| 229 | /* get the file name */ | 229 | /* get the file name */ |
| 230 | fn = xs_list_get(l1, 3); | 230 | fn = xs_dup(xs_list_get(l1, 3)); |
| 231 | } | 231 | } |
| 232 | } | 232 | } |
| 233 | else | 233 | else |