From ccac30117601f6773c65a07a9f34aab76dbe6fc0 Mon Sep 17 00:00:00 2001 From: Vincent Sanders Date: Sat, 4 Jul 2015 09:36:46 +0100 Subject: Fix a signed comparison error in nsurl parsing. In utils/nsurl.c the function nsurl__create_from_section() has a section dealing with non-redundant ports (starting line 973). lwc_intern_string() was being called with negative lengths and as it takes a size_t (unsigned) so is getting passed a very large length which causes a segfault. this is supposed to be protected by the flag setting on line 969 however the arithmetic is all *unsigned* so the condition never matches (gdb) p length - (colon - pegs->at + skip) $9 = 18446744073709551608 changing the check arithmetic to be a simple comparison against length prevents this issue and reduces the amount of computation required. --- utils/nsurl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/nsurl.c') diff --git a/utils/nsurl.c b/utils/nsurl.c index e0e147229..4454ba8a1 100644 --- a/utils/nsurl.c +++ b/utils/nsurl.c @@ -963,7 +963,7 @@ static nserror nsurl__create_from_section(const char * const url_s, flags |= NSURL_F_NO_PORT; } - if (length - (colon - pegs->at + skip) <= 0) { + if (length <= (colon - pegs->at + skip)) { /* No space for a port after the colon */ flags |= NSURL_F_NO_PORT; -- cgit v1.2.3