Merged revisions 301308 via svnmerge from
authorMatthew Nicholson <mnicholson@digium.com>
Tue, 11 Jan 2011 18:55:16 +0000 (18:55 +0000)
committerMatthew Nicholson <mnicholson@digium.com>
Tue, 11 Jan 2011 18:55:16 +0000 (18:55 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.8

................
  r301308 | mnicholson | 2011-01-11 12:51:40 -0600 (Tue, 11 Jan 2011) | 18 lines

  Merged revisions 301307 via svnmerge from
  https://origsvn.digium.com/svn/asterisk/branches/1.6.2

  ................
    r301307 | mnicholson | 2011-01-11 12:42:05 -0600 (Tue, 11 Jan 2011) | 11 lines

    Merged revisions 301305 via svnmerge from
    https://origsvn.digium.com/svn/asterisk/branches/1.4

    ........
      r301305 | mnicholson | 2011-01-11 12:34:40 -0600 (Tue, 11 Jan 2011) | 4 lines

      Prevent buffer overflows in ast_uri_encode()

      ABE-2705
    ........
  ................
................

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@301309 65c4cc65-6c06-0410-ace0-fbb531ad65f3

main/utils.c

index f8ec82f..6ce659c 100644 (file)
@@ -391,33 +391,32 @@ static void base64_init(void)
 char *ast_uri_encode(const char *string, char *outbuf, int buflen, int do_special_char)
 {
        const char *ptr  = string;      /* Start with the string */
-       char *out = NULL;
-       char *buf = NULL;
+       char *out = outbuf;
        const char *mark = "-_.!~*'()"; /* no encode set, RFC 2396 section 2.3, RFC 3261 sec 25 */
-       ast_copy_string(outbuf, string, buflen);
 
-       while (*ptr) {
+       while (*ptr && out - outbuf < buflen - 1) {
                if ((const signed char) *ptr < 32 || *ptr == 0x7f || *ptr == '%' ||
                                (do_special_char &&
                                !(*ptr >= '0' && *ptr <= '9') &&      /* num */
                                !(*ptr >= 'A' && *ptr <= 'Z') &&      /* ALPHA */
                                !(*ptr >= 'a' && *ptr <= 'z') &&      /* alpha */
                                !strchr(mark, *ptr))) {               /* mark set */
-
-                       /* Oops, we need to start working here */
-                       if (!buf) {
-                               buf = outbuf;
-                               out = buf + (ptr - string) ;    /* Set output ptr */
+                       if (out - outbuf >= buflen - 3) {
+                               break;
                        }
+
                        out += sprintf(out, "%%%02X", (unsigned char) *ptr);
-               } else if (buf) {
+               } else {
                        *out = *ptr;    /* Continue copying the string */
                        out++;
                }
                ptr++;
        }
-       if (buf)
+
+       if (buflen) {
                *out = '\0';
+       }
+
        return outbuf;
 }