]> git.kaiwu.me - njs.git/commitdiff
projects / njs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: baedbcb)
A fix in decodeURI() and decodeURIComponent() functions.
authorIgor Sysoev <igor@sysoev.ru>
Sat, 22 Oct 2016 17:24:32 +0000 (20:24 +0300)
committerIgor Sysoev <igor@sysoev.ru>
Sat, 22 Oct 2016 17:24:32 +0000 (20:24 +0300)
Found with afl-fuzz.

njs/njs_string.c patch | blob | history

diff --git a/njs/njs_string.c b/njs/njs_string.c
index 0803c006b9a0a8c7d2dee2bd516bb17614566014..3c414a531742e560ac2d64d444997903092acde6 100644 (file)
--- a/njs/njs_string.c
+++ b/njs/njs_string.c
@@ -3070,7 +3070,6 @@ njs_string_decode(njs_vm_t *vm, njs_value_t *value, const uint32_t *reserve)
         byte = *src++;
 
         if (byte == '%') {
-
             size -= 2;
 
             if (size <= 0) {
@@ -3117,6 +3116,8 @@ njs_string_decode(njs_vm_t *vm, njs_value_t *value, const uint32_t *reserve)
         byte = *src++;
 
         if (byte == '%') {
+            size -= 2;
+
             d0 = hex[*src++];
             d1 = hex[*src++];
             byte = (d0 << 4) + d1;
@@ -3124,7 +3125,6 @@ njs_string_decode(njs_vm_t *vm, njs_value_t *value, const uint32_t *reserve)
             utf8 |= (byte >= 0x80);
 
             if ((reserve[byte >> 5] & ((uint32_t) 1 << (byte & 0x1f))) != 0) {
-                size -= 2;
                 *dst++ = '%';
                 *dst++ = src[-2];
                 byte = src[-1];
@@ -3132,7 +3132,6 @@ njs_string_decode(njs_vm_t *vm, njs_value_t *value, const uint32_t *reserve)
         }
 
         *dst++ = byte;
-
         size--;
 
     } while (size != 0);
njs upstream