[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | Buffer overflow in `wget_iri_clone` (#687)
From: |
@gleurent |
Subject: |
Re: wget2 | Buffer overflow in `wget_iri_clone` (#687) |
Date: |
Thu, 19 Dec 2024 14:26:28 +0000 |
Gaëtan Leurent commented:
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2267861242
Here is a proposed patch:
```diff
diff --git a/libwget/iri.c b/libwget/iri.c
index 6b729ff2..0103248a 100644
--- a/libwget/iri.c
+++ b/libwget/iri.c
@@ -506,8 +506,8 @@ wget_iri *wget_iri_parse(const char *url, const char
*encoding)
if (have_scheme) {
iri->msize = slen + 1;
- iri->uri = memcpy(iri + 1, url, iri->msize);
- p = s = memcpy((char *)iri->uri + iri->msize, url, iri->msize);
+ p = s = memcpy(iri + 1, url, iri->msize);
+ iri->uri = memcpy(s + iri->msize, url, iri->msize);
s = strchr(s, ':'); // we know there is a :
*s++ = 0;
@@ -535,10 +535,10 @@ wget_iri *wget_iri_parse(const char *url, const char
*encoding)
}
} else {
// add http:// scheme to url
- iri->uri = memcpy(iri + 1, "http://", extra);
- memcpy((char *)iri->uri + extra, url, slen + 1);
+ s = memcpy(iri + 1, "http://", extra);
+ memcpy(s + extra, url, slen + 1);
iri->msize = extra + slen + 1;
- s = memcpy((char *)iri->uri + iri->msize, iri->uri, iri->msize);
+ iri->uri = memcpy((char *)s + iri->msize, s, iri->msize);
s[extra - 3] = 0;
s += extra;
@@ -719,8 +719,8 @@ wget_iri *wget_iri_clone(const wget_iri *iri)
if (!clone)
return NULL;
- memcpy(clone, iri, sizeof(wget_iri));
- clone->uri = memcpy(clone + 1, iri->uri, (slen + 1) + iri->msize);
+ memcpy(clone, iri, sizeof(wget_iri)+iri->msize);
+ clone->uri = memcpy((char *)(clone + 1) + iri->msize, iri->uri, slen +
1);
clone->uri_allocated = 0;
if (iri->userinfo)
```
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2267861242
You're receiving this email because of your account on gitlab.com.