wget-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | Buffer overflow in `wget_iri_clone` (#687)


From: @gleurent
Subject: Re: wget2 | Buffer overflow in `wget_iri_clone` (#687)
Date: Thu, 19 Dec 2024 14:26:28 +0000



Gaëtan Leurent commented: 
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2267861242


Here is a proposed patch:

```diff
diff --git a/libwget/iri.c b/libwget/iri.c
index 6b729ff2..0103248a 100644
--- a/libwget/iri.c
+++ b/libwget/iri.c
@@ -506,8 +506,8 @@ wget_iri *wget_iri_parse(const char *url, const char 
*encoding)
 
        if (have_scheme) {
                iri->msize = slen + 1;
-               iri->uri = memcpy(iri + 1, url, iri->msize);
-               p = s = memcpy((char *)iri->uri + iri->msize, url, iri->msize);
+               p = s = memcpy(iri + 1, url, iri->msize);
+               iri->uri = memcpy(s + iri->msize, url, iri->msize);
                s = strchr(s, ':'); // we know there is a :
                *s++ = 0;
 
@@ -535,10 +535,10 @@ wget_iri *wget_iri_parse(const char *url, const char 
*encoding)
                }
        } else {
                // add http:// scheme to url
-               iri->uri = memcpy(iri + 1, "http://";, extra);
-               memcpy((char *)iri->uri + extra, url, slen + 1);
+               s = memcpy(iri + 1, "http://";, extra);
+               memcpy(s + extra, url, slen + 1);
                iri->msize = extra + slen + 1;
-               s = memcpy((char *)iri->uri + iri->msize, iri->uri, iri->msize);
+               iri->uri = memcpy((char *)s + iri->msize, s, iri->msize);
                s[extra - 3] = 0;
                s += extra;
 
@@ -719,8 +719,8 @@ wget_iri *wget_iri_clone(const wget_iri *iri)
        if (!clone)
                return NULL;
 
-       memcpy(clone, iri, sizeof(wget_iri));
-       clone->uri = memcpy(clone + 1, iri->uri, (slen + 1) + iri->msize);
+       memcpy(clone, iri, sizeof(wget_iri)+iri->msize);
+       clone->uri = memcpy((char *)(clone + 1) + iri->msize, iri->uri, slen + 
1);
        clone->uri_allocated = 0;
 
        if (iri->userinfo)
```

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2267861242
You're receiving this email because of your account on gitlab.com.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]