The format specifier for parsing percent-formatted characters uses
a maximum number of digits, not an exact number of digits.
If the hex number has only one digit this will skip a character,
potentially pointing past the terminating null byte.
---
http.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index 5b9dade..fb2dc42 100644
--- a/http.c
+++ b/http.c
@@ -136,7 +136,8 @@ decode(const char src[PATH_MAX], char
dest[PATH_MAX])
const char *s;
for (s = src, i = 0; *s; s++, i++) {
- if (*s == '%' && (sscanf(s + 1, "%2hhx", &n) == 1)) {
+ if (*s == '%' && isxdigit(s[1]) && isxdigit(s[2])) {
+ sscanf(s + 1, "%2hhx", &n);
dest[i] = n;
s += 2;
} else {
--
2.36.2
