clean up error handling in memdupdec to fix buffer overflows

Fixes #265 Fixes #266 Fixes #267 Closes #270
curl · Feb 19, 2024 · d801161 · d801161
1 parent f969627
commit d801161
Showing 1 changed file with 18 additions and 23 deletions.
diff --git a/trurl.c b/trurl.c
@@ -624,11 +624,11 @@ static void showqkey(FILE *stream, const char *key, size_t klen,
   struct string *qp = urldecode ? qpairsdec : qpairs;
 
   for(i = 0; i< nqpairs; i++) {
-    if(!strncmp(key, qp[i].str, klen) &&
-       (qp[i].str[klen] == '=')) {
+    if(!strncmp(key, qp[i].str, klen) && (qp[i].str[klen] == '=')) {
       if(shown)
         fputc(' ', stream);
-      fputs(&qp[i].str[klen + 1], stream);
+      fprintf(stream, "%.*s", (int) (qp[i].len - klen - 1),
+              &qp[i].str[klen + 1]);
       if(!showall)
         break;
       shown = true;
@@ -989,11 +989,11 @@ static void json(struct option *o, CURLU *uh)
     int j;
     fputs(",\n    \"params\": [\n", stdout);
     for(j = 0 ; j < nqpairs; j++) {
-      const char *sep = strchr(qpairsdec[j].str, '=');
+      const char *sep = memchr(qpairsdec[j].str, '=', qpairsdec[j].len);
       const char *value = sep ? sep + 1 : "";
-
+      int value_len = (int) qpairsdec[j].len - (int)(value - qpairsdec[j].str);
       /* don't print out empty/trimmed values */
-      if(!qpairsdec[j].str[0])
+      if(!qpairsdec[j].len || !qpairsdec[j].str[0])
         continue;
       if(!first)
         fputs(",\n", stdout);
@@ -1004,7 +1004,7 @@ static void json(struct option *o, CURLU *uh)
                        qpairsdec[j].len,
                  false);
       fputs(",\n        \"value\": ", stdout);
-      jsonString(stdout, sep?value:"", sep?qpairsdec[j].len:0, false);
+      jsonString(stdout, sep?value:"", sep?value_len:0, false);
       fputs("\n      }", stdout);
     }
     fputs("\n    ]", stdout);
@@ -1068,7 +1068,7 @@ static void trim(struct option *o)
             !strncasecmp(q, ptr, inslen))) {
           /* this qpair should be stripped out */
           free(qpairs[i].str);
-          curl_free(qpairsdec[i].str);
+          free(qpairsdec[i].str);
           qpairs[i].str = strdup(""); /* marked as deleted */
           qpairs[i].len = 0;
           qpairsdec[i].str = strdup(""); /* marked as deleted */
@@ -1107,14 +1107,13 @@ static struct string *memdupdec(char *source, size_t len, bool json)
   int left_len = 0;
   char *str;
   struct string *ret;
-
   left = strurldecode(source, (int)(sep ? (size_t)(sep - source) : len),
                       &left_len);
   if(sep) {
     char *p;
     int plen;
     right = strurldecode(sep + 1, (int)(len - (sep - source) - 1),
-            (int *)&right_len);
+            &right_len);
 
     /* convert null bytes to periods */
     for(plen = right_len, p = right; plen; plen--, p++) {
@@ -1123,13 +1122,13 @@ static struct string *memdupdec(char *source, size_t len, bool json)
       }
      }
   }
-
-  str = curl_maprintf("%.*s%s%.*s", left_len, left,
-                      right ? "=":"",
-                      right_len, right?right:"");
-  /* handle strings with null characters */
-  if(sep && right) {
-    memcpy(str + left_len + 1, right, right_len);
+  str = malloc(sizeof(char) * (left_len + (sep?(right_len + 1):0)));
+  if(!str)
+    return NULL;
+  memcpy(str, left, left_len);
+  if(sep) {
+    str[left_len] = '=';
+    memcpy(str + 1 + left_len, right, right_len);
   }
   curl_free(right);
   curl_free(left);
@@ -1138,11 +1137,7 @@ static struct string *memdupdec(char *source, size_t len, bool json)
     return NULL;
   }
   ret->str = str;
-  if(right)
-    ret->len = right_len;
-  else {
-    ret->len = left_len;
-  }
+  ret->len = left_len + (sep?(right_len + 1):0);
   return ret;
 }
 
@@ -1154,7 +1149,7 @@ static void freeqpairs(void)
     if(qpairs[i].len) {
       free(qpairs[i].str);
       qpairs[i].str = NULL;
-      curl_free(qpairsdec[i].str);
+      free(qpairsdec[i].str);
       qpairsdec[i].str = NULL;
     }
   }