From: Fabian Keil Date: Sat, 24 Jan 2015 16:41:20 +0000 (+0000) Subject: chunked_body_is_complete(): Check input more carefully X-Git-Tag: v_3_0_23~12 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/@user-manual@startup.html?a=commitdiff_plain;h=5e4afe3fa0696e23ce1b545b14450f225c4119c2;p=privoxy.git chunked_body_is_complete(): Check input more carefully Previously a nul-chunk without mandatory trailing "\r\n" would not be rejected as invalid. When compiled with assertions enabled, this would cause Privoxy to abort(). Reported by Matthew Daley. --- diff --git a/jcc.c b/jcc.c index 79536135..2ad98ab4 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.432 2014/12/19 12:28:10 fabiankeil Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.433 2015/01/24 16:40:37 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -1388,12 +1388,15 @@ static enum chunk_status chunked_body_is_complete(struct iob *iob, size_t *lengt { return CHUNK_STATUS_PARSE_ERROR; } - /* - * Skip "\r\n", the chunk data and another "\r\n". - * Moving p to either the beginning of the next chunk-size - * or one byte beyond the end of the chunked data. - */ - p += 2 + chunksize + 2; + /* Move beyond the chunkdata. */ + p += 2 + chunksize; + + /* There should be another "\r\n" to skip */ + if (memcmp(p, "\r\n", 2)) + { + return CHUNK_STATUS_PARSE_ERROR; + } + p += 2; } while (chunksize > 0U); *length = (size_t)(p - iob->cur);