Fixed open byte overread in decodeURI() and decodeURIComponent().

Found by OSS-Fuzz and MemorySanitizer.

diff --git a/src/njs_string.c b/src/njs_string.c
index aaa5ba01e6dc24580e354bd959eba1409930efb9..8f199592362ee54cacc8c6713a56f4fd251f1c95 100644 (file)
--- a/src/njs_string.c
+++ b/src/njs_string.c
@@ -4074,7 +4074,7 @@ njs_string_decode_uri(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
             n++;
         } while (((cp << n) & 0x80));
 
-        if (njs_slow_path(n > 4)) {
+        if (njs_slow_path(n > 4 || src + njs_length("%00") * (n - 1)  > end)) {
             goto uri_error;
         }
 

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index f5d2e808dc23946e9dae46ed54904610e2f797cd..830e68f3f2953f23fef5fb280d7864d1fd384537 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -10016,13 +10016,17 @@ static njs_unit_test_t  njs_test[] =
               " '%',"
               " '%0',"
               " '%QQ',"
+              " '%C0%' + '0',"
               " '%C0%10',"
+              " '%C0%80',"
               " '%DC%C7',"
               " '%80%81%82',"
               " '%EF%5C%A0',"
               " '%EF%A0%5E',"
+              " '%E0%EF%' + '0',"
               " '%E0%EF%A0',"
               " '%E0%A0%EF',"
+              " '%F0%A2%95%' + '0',"
               " '%FF%A2%95%BB',"
               "].every(v=>{try { decodeURI(v)} catch(e) {return e.name == 'URIError'}})"),
       njs_str("true")},