On Tue, Aug 16, 2022 at 05:42:50PM +0000, HushBugger wrote:
> The format specifier for parsing percent-formatted characters uses
> a maximum number of digits, not an exact number of digits.
>
> If the hex number has only one digit this will skip a character,
> potentially pointing past the terminating null byte.
> ---
> http.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/http.c b/http.c
> index 5b9dade..fb2dc42 100644
> --- a/http.c
> +++ b/http.c
> @@ -136,7 +136,8 @@ decode(const char src[PATH_MAX], char dest[PATH_MAX])
> const char *s;
>
> for (s = src, i = 0; *s; s++, i++) {
> - if (*s == '%' && (sscanf(s + 1, "%2hhx", &n) == 1)) {
> + if (*s == '%' && isxdigit(s[1]) && isxdigit(s[2])) {
> + sscanf(s + 1, "%2hhx", &n);
> dest[i] = n;
> s += 2;
> } else {
> --
> 2.36.2
>
Haven't tested the patch and not sure it is correct, but if so then isxdigit
needs a cast using (unsigned char).
--
Kind regards,
Hiltjo
