From: Jo-Philipp Wich Date: Wed, 10 Aug 2022 19:43:08 +0000 (+0200) Subject: main: fix two one-byte overreads in header_value() X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=refs%2Fheads%2Fmaster;p=project%2Fcgi-io.git main: fix two one-byte overreads in header_value() By passing specially crafted header values, the skip loops in the header_value() function may override the input buffer by one byte each. Reported-by: Jinwei Dong Signed-off-by: Jo-Philipp Wich --- diff --git a/main.c b/main.c index e55051e..8ca4c04 100644 --- a/main.c +++ b/main.c @@ -314,21 +314,21 @@ header_value(multipart_parser *p, const char *data, size_t len) if (len < 10 || strncasecmp(data, "form-data", 9)) return 0; - for (data += 9, len -= 9; *data == ' ' || *data == ';'; data++, len--); + for (data += 9, len -= 9; len > 0 && (*data == ' ' || *data == ';'); data++, len--); if (len < 8 || strncasecmp(data, "name=\"", 6)) return 0; - for (data += 6, len -= 6, i = 0; i <= len; i++) + for (data += 6, len -= 6, i = 1; i < len; i++) { - if (*(data + i) != '"') - continue; - - for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++) - if (!strncmp(data, parts[j], i)) - st.parttype = j; + if (data[i] == '"') + { + for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++) + if (!strncmp(data, parts[j], i - 1)) + st.parttype = j; - break; + break; + } } return 0;