From 50a0c8a6461bae58819f84fafe429d1e552861fa Mon Sep 17 00:00:00 2001
From: Matthew Nicholson <mnicholson@digium.com>
Date: Tue, 11 Jan 2011 18:55:16 +0000
Subject: [PATCH] Merged revisions 301308 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.8

................
  r301308 | mnicholson | 2011-01-11 12:51:40 -0600 (Tue, 11 Jan 2011) | 18 lines

  Merged revisions 301307 via svnmerge from
  https://origsvn.digium.com/svn/asterisk/branches/1.6.2

  ................
    r301307 | mnicholson | 2011-01-11 12:42:05 -0600 (Tue, 11 Jan 2011) | 11 lines

    Merged revisions 301305 via svnmerge from
    https://origsvn.digium.com/svn/asterisk/branches/1.4

    ........
      r301305 | mnicholson | 2011-01-11 12:34:40 -0600 (Tue, 11 Jan 2011) | 4 lines

      Prevent buffer overflows in ast_uri_encode()

      ABE-2705
    ........
  ................
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@301309 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/utils.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/main/utils.c b/main/utils.c
index f8ec82f259..6ce659c41f 100644
--- a/main/utils.c
+++ b/main/utils.c
@@ -391,33 +391,32 @@ static void base64_init(void)
 char *ast_uri_encode(const char *string, char *outbuf, int buflen, int do_special_char)
 {
 	const char *ptr  = string;	/* Start with the string */
-	char *out = NULL;
-	char *buf = NULL;
+	char *out = outbuf;
 	const char *mark = "-_.!~*'()"; /* no encode set, RFC 2396 section 2.3, RFC 3261 sec 25 */
-	ast_copy_string(outbuf, string, buflen);
 
-	while (*ptr) {
+	while (*ptr && out - outbuf < buflen - 1) {
 		if ((const signed char) *ptr < 32 || *ptr == 0x7f || *ptr == '%' ||
 				(do_special_char &&
 				!(*ptr >= '0' && *ptr <= '9') &&      /* num */
 				!(*ptr >= 'A' && *ptr <= 'Z') &&      /* ALPHA */
 				!(*ptr >= 'a' && *ptr <= 'z') &&      /* alpha */
 				!strchr(mark, *ptr))) {               /* mark set */
-
-			/* Oops, we need to start working here */
-			if (!buf) {
-				buf = outbuf;
-				out = buf + (ptr - string) ;	/* Set output ptr */
+			if (out - outbuf >= buflen - 3) {
+				break;
 			}
+
 			out += sprintf(out, "%%%02X", (unsigned char) *ptr);
-		} else if (buf) {
+		} else {
 			*out = *ptr;	/* Continue copying the string */
 			out++;
 		}
 		ptr++;
 	}
-	if (buf)
+
+	if (buflen) {
 		*out = '\0';
+	}
+
 	return outbuf;
 }
 
-- 
GitLab