From 909a57ee08daf4cc12e777e3255eea27d246e8a4 Mon Sep 17 00:00:00 2001
From: hidnplayr <hidnplayr@kolibrios.org>
Date: Tue, 17 Oct 2017 21:18:36 +0000
Subject: [PATCH] HTTP_escape, HTTP_unescape, check for end of buffer.

git-svn-id: svn://kolibrios.org@7101 a494cfbc-eb01-0410-851d-a64ba20cac60
---
 programs/develop/libraries/http/http.asm | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/programs/develop/libraries/http/http.asm b/programs/develop/libraries/http/http.asm
index 0eac8e32bd..0aea17a431 100644
--- a/programs/develop/libraries/http/http.asm
+++ b/programs/develop/libraries/http/http.asm
@@ -1296,6 +1296,7 @@ proc HTTP_escape URI, length ;//////////////////////////////////////////////////
         invoke  mem.alloc, URLMAXLEN            ; FIXME: use length provided by caller to guess final size.
         test    eax, eax
         jz      .error
+        mov     edx, URLMAXLEN-1                ; Remaining space in temp buffer minus one for 0 byte
         mov     [esp + 7 * 4], eax              ; return ptr in eax
         mov     esi, [URI]
         mov     edi, eax
@@ -1315,9 +1316,13 @@ proc HTTP_escape URI, length ;//////////////////////////////////////////////////
         jc      .escape
 
         stosb
-        jmp     .loop
+        dec     edx
+        jnz     .loop
+        jmp     .out_of_space
 
   .escape:
+        sub     edx, 3
+        jbe     .out_of_space
         mov     al, '%'
         stosb
         mov     bl, byte[esi-1]
@@ -1331,7 +1336,11 @@ proc HTTP_escape URI, length ;//////////////////////////////////////////////////
         jmp     .loop
 
 
+  .out_of_space:
+        DEBUGF  2, "ERROR: buffer too small!\n"
+
   .done:
+        xor     al, al
         stosb
         sub     edi, [esp + 7 * 4]
         dec     edi
@@ -1367,6 +1376,7 @@ proc HTTP_unescape URI, length ;////////////////////////////////////////////////
         invoke  mem.alloc, URLMAXLEN            ; FIXME: use length provided by caller
         test    eax, eax
         jz      .error
+        mov     edx, URLMAXLEN-1                ; Remaining space in temp buffer minus one for 0 byte
         mov     [esp + 7 * 4], eax              ; return ptr in eax
         mov     esi, [URI]
         mov     edi, eax
@@ -1377,7 +1387,9 @@ proc HTTP_unescape URI, length ;////////////////////////////////////////////////
         cmp     al, '%'
         je      .unescape
         stosb
-        jmp     .loop
+        dec     edx
+        jnz     .loop
+        jmp     .out_of_space
 
   .unescape:
         xor     ebx, ebx
@@ -1402,13 +1414,19 @@ proc HTTP_unescape URI, length ;////////////////////////////////////////////////
         jc      .unescape_nibble
         mov     al, bl
         stosb
-        jmp     .loop
+        dec     edx
+        jnz     .loop
+        jmp     .out_of_space
 
   .fail:
         DEBUGF  2, "ERROR: invalid URI!\n"
         jmp     .loop
 
+  .out_of_space:
+        DEBUGF  2, "ERROR: buffer too small!\n"
+
   .done:
+        xor     al, al
         stosb
         popa
         DEBUGF  1, "unescaped URL: %s\n", eax