diff options
author | Michael Drake <tlsa@netsurf-browser.org> | 2022-10-22 21:11:05 +0100 |
---|---|---|
committer | Michael Drake <mdrake.unique@gmail.com> | 2022-10-23 17:22:56 +0100 |
commit | 6c4343a742c70ee8adb6ff7b1ab476976955e58c (patch) | |
tree | ed8c2adb0537d8b7929da0ae37bfb1f1042f0d70 /utils | |
parent | ef00567b029ec007ceab342a2ed1addaa5f63be6 (diff) | |
download | netsurf-6c4343a742c70ee8adb6ff7b1ab476976955e58c.tar.gz netsurf-6c4343a742c70ee8adb6ff7b1ab476976955e58c.tar.bz2 |
utils: ssl_certs: Fix potential snprintf overflow
Diffstat (limited to 'utils')
-rw-r--r-- | utils/ssl_certs.c | 35 |
1 files changed, 28 insertions, 7 deletions
diff --git a/utils/ssl_certs.c b/utils/ssl_certs.c index d0f2a6c18..8546165ac 100644 --- a/utils/ssl_certs.c +++ b/utils/ssl_certs.c @@ -248,12 +248,23 @@ nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out ) urlstrlen = snprintf((char *)urlstr, allocsize, "about:certificate"); for (depth = 0; depth < chain->depth; depth++) { + int written; nsuerror nsures; size_t output_length; - urlstrlen += snprintf((char *)urlstr + urlstrlen, - allocsize - urlstrlen, - "&cert="); + written = snprintf((char *)urlstr + urlstrlen, + allocsize - urlstrlen, + "&cert="); + if (written < 0) { + free(urlstr); + return NSERROR_UNKNOWN; + } + if ((size_t)written >= allocsize - urlstrlen) { + free(urlstr); + return NSERROR_UNKNOWN; + } + + urlstrlen += (size_t)written; output_length = allocsize - urlstrlen; nsures = nsu_base64_encode_url( @@ -268,10 +279,20 @@ nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out ) urlstrlen += output_length; if (chain->certs[depth].err != SSL_CERT_ERR_OK) { - urlstrlen += snprintf((char *)urlstr + urlstrlen, - allocsize - urlstrlen, - "&certerr=%d", - chain->certs[depth].err); + written = snprintf((char *)urlstr + urlstrlen, + allocsize - urlstrlen, + "&certerr=%d", + chain->certs[depth].err); + if (written < 0) { + free(urlstr); + return NSERROR_UNKNOWN; + } + if ((size_t)written >= allocsize - urlstrlen) { + free(urlstr); + return NSERROR_UNKNOWN; + } + + urlstrlen += (size_t)written; } } |