File CVE-2018-19198.patch of Package uriparser.33965
Index: uriparser-uriparser-0.8.5/src/UriQuery.c
===================================================================
--- uriparser-uriparser-0.8.5.orig/src/UriQuery.c
+++ uriparser-uriparser-0.8.5/src/UriQuery.c
@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
/* Copy key */
if (firstItem == URI_TRUE) {
+ ampersandLen = 1;
firstItem = URI_FALSE;
} else {
write[0] = _UT('&');
Index: uriparser-uriparser-0.8.5/test/test.cpp
===================================================================
--- uriparser-uriparser-0.8.5.orig/test/test.cpp
+++ uriparser-uriparser-0.8.5/test/test.cpp
@@ -103,6 +103,7 @@ public:
TEST_ADD(UriSuite::testQueryList)
TEST_ADD(UriSuite::testQueryListPair)
TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
+ TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
TEST_ADD(UriSuite::testParseInvalid_Bug16)
TEST_ADD(UriSuite::testRangeComparison)
@@ -1739,6 +1740,33 @@ Rule | Ex
uriFreeQueryListA(queryList);
}
+ void testQueryCompositionMathWrite_GoogleAutofuzz113244572() {
+ UriQueryListA second = { .key = "\x11", .value = NULL, .next = NULL };
+ UriQueryListA first = { .key = "\x01", .value = "\x02", .next = &second };
+ const UriBool spaceToPlus = URI_TRUE;
+ const UriBool normalizeBreaks = URI_FALSE; /* for factor 3 but 6 */
+ const int charsRequired = (3 + 1 + 3) + 1 + (3);
+ {
+ // Minimum space to hold everything fine
+ const char * const expected = "%01=%02" "&" "%11";
+ char dest[charsRequired + 1];
+ int charsWritten;
+ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
+ &charsWritten, spaceToPlus, normalizeBreaks)
+ == URI_SUCCESS);
+ TEST_ASSERT(! strcmp(dest, expected));
+ TEST_ASSERT(charsWritten == strlen(expected) + 1);
+ }
+ {
+ // Previous math failed to take ampersand into account
+ char dest[charsRequired + 1 - 1];
+ int charsWritten;
+ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
+ &charsWritten, spaceToPlus, normalizeBreaks)
+ == URI_ERROR_OUTPUT_TOO_LARGE);
+ }
+ }
+
void testFreeCrash_Bug20080827() {
char const * const sourceUri = "abc";
char const * const baseUri = "http://www.example.org/";