From 09f9ac5066ee71f7cc1d5a6401dfa7f49d1dd677 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Sun, 11 Oct 2020 13:57:10 +0200
Subject: [PATCH] Fix off-by-one in postdecode_fields
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Fixes following error found by fuzzer:

 ERROR: AddressSanitizer: SEGV on unknown address 0x60c000120000 (pc 0x00000054f64f bp 0x000000000008 sp 0x7ffe4fc2c120 T0)
 The signal is caused by a READ memory access.
    #0 0x54f64f in postdecode_fields cgi-io/util.c:93:7
    #1 0x54f382 in LLVMFuzzerTestOneInput cgi-io/tests/fuzz/test-fuzz.c:36:6

That is caused by reading 1 byte past the size of the buffer.

Signed-off-by: Petr Å tetiar <ynezz@true.cz>
---
 ...crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427 | Bin 0 -> 191 bytes
 ...crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0 |   1 +
 util.c                                            |   2 +-
 3 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427
 create mode 100644 tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0

diff --git a/tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427 b/tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427
new file mode 100644
index 0000000000000000000000000000000000000000..7122f990552e3b5228c521d76372669707f57e5b
GIT binary patch
literal 191
YcmZQ*APQ9DR3(H{22+AMrXZUO03e258vp<R

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0 b/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0
new file mode 100644
index 0000000..264f4b1
--- /dev/null
+++ b/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0
@@ -0,0 +1 @@
+±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
diff --git a/util.c b/util.c
index e862758..419ed16 100644
--- a/util.c
+++ b/util.c
@@ -88,7 +88,7 @@ postdecode_fields(char *postbuf, ssize_t len, char **fields, int n_fields)
 	char *p;
 	int i, field, found = 0;
 
-	for (p = postbuf, i = 0; i <= len; i++)
+	for (p = postbuf, i = 0; i < len; i++)
 	{
 		if (postbuf[i] == '=')
 		{
-- 
2.30.2