From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 24 Jan 2015 16:41:20 +0000 (+0000)
Subject: chunked_body_is_complete(): Check input more carefully
X-Git-Tag: v_3_0_23~12
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/@default-cgi@/faq/static/user-manual/@default-cgi@send-stylesheet?a=commitdiff_plain;h=5e4afe3fa0696e23ce1b545b14450f225c4119c2;p=privoxy.git

chunked_body_is_complete(): Check input more carefully

Previously a nul-chunk without mandatory trailing "\r\n" would
not be rejected as invalid. When compiled with assertions enabled,
this would cause Privoxy to abort().

Reported by Matthew Daley.
---

diff --git a/jcc.c b/jcc.c
index 79536135..2ad98ab4 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.432 2014/12/19 12:28:10 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.433 2015/01/24 16:40:37 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -1388,12 +1388,15 @@ static enum chunk_status chunked_body_is_complete(struct iob *iob, size_t *lengt
       {
          return CHUNK_STATUS_PARSE_ERROR;
       }
-      /*
-       * Skip "\r\n", the chunk data and another "\r\n".
-       * Moving p to either the beginning of the next chunk-size
-       * or one byte beyond the end of the chunked data.
-       */
-      p += 2 + chunksize + 2;
+      /* Move beyond the chunkdata. */
+      p += 2 + chunksize;
+
+      /* There should be another "\r\n" to skip */
+      if (memcmp(p, "\r\n", 2))
+      {
+         return CHUNK_STATUS_PARSE_ERROR;
+      }
+      p += 2;
    } while (chunksize > 0U);
 
    *length = (size_t)(p - iob->cur);