fix buffer overflow in url encoding (affecting msvc2010/2013)

2025-01-30 03:32:46 +00:00 · 2018-05-03 12:56:56 -04:00 · 2018-05-03 12:56:56 -04:00 · 05404f9104
commit 05404f9104
parent 803373bb09
2 changed files with 16 additions and 4 deletions
--- a/libretro-common/compat/compat_snprintf.c
+++ b/libretro-common/compat/compat_snprintf.c
@ -55,13 +55,19 @@ int c99_vsnprintf_retro__(char *outBuf, size_t size, const char *format, va_list

   if (size != 0)
 #if (_MSC_VER <= 1310)
-       count = _vsnprintf(outBuf, size, format, ap);
+       count = _vsnprintf(outBuf, size - 1, format, ap);
 #else
-       count = _vsnprintf_s(outBuf, size, _TRUNCATE, format, ap);
+       count = _vsnprintf_s(outBuf, size, size - 1, format, ap);
 #endif
   if (count == -1)
       count = _vscprintf(format, ap);

+   if (count == size)
+   {
+      /* there was no room for a NULL, so truncate the last character */
+      outBuf[size - 1] = '\0';
+   }
+
   return count;
 }

--- a/libretro-common/net/net_http.c
+++ b/libretro-common/net/net_http.c
@ -109,6 +109,7 @@ void net_http_urlencode(char **dest, const char *source)
   char *enc  = NULL;
   /* Assume every character will be encoded, so we need 3 times the space. */
   size_t len = strlen(source) * 3 + 1;
+   size_t count = len;

   if (!urlencode_lut_inited)
      urlencode_lut_init();
@ -119,11 +120,16 @@ void net_http_urlencode(char **dest, const char *source)

   for (; *source; source++)
   {
+      int written = 0;
+
      /* any non-ascii character will just be encoded without question */
      if ((unsigned)*source < sizeof(urlencode_lut) && urlencode_lut[(unsigned)*source])
-         snprintf(enc, len, "%c", urlencode_lut[(unsigned)*source]);
+         written = snprintf(enc, count, "%c", urlencode_lut[(unsigned)*source]);
      else
-         snprintf(enc, len, "%%%02X", *source & 0xFF);
+         written = snprintf(enc, count, "%%%02X", *source & 0xFF);
+
+      if (written > 0)
+         count -= written;

      while (*++enc);
   }