main: fix two one-byte overreads in header_value()

By passing specially crafted header values, the skip loops in the header_value() function may override the input buffer by one byte each. Reported-by: Jinwei Dong <jwdong2000@qq.com> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich 2022-08-10 19:43:08 +0000
committer: Jo-Philipp Wich 2022-08-10 19:43:34 +0000
commit: 901b0f0463c9d16a8cf5b9ed37118d8484bc9176 (patch)
tree: e3cb646cdeab36b79a0315a95e5369f52e35cab5
parent: 98cef9dda63623eff07bd574ad7c98ef282af18d (diff)
download: cgi-io-901b0f0463c9d16a8cf5b9ed37118d8484bc9176.tar.gz
1 files changed, 9 insertions, 9 deletions
diff --git a/main.c b/main.c
index e55051e..8ca4c04 100644
--- a/main.c
+++ b/main.c
@@ -314,21 +314,21 @@ header_value(multipart_parser *p, const char *data, size_t len)
 	if (len < 10 || strncasecmp(data, "form-data", 9))
 		return 0;
 
-	for (data += 9, len -= 9; *data == ' ' || *data == ';'; data++, len--);
+	for (data += 9, len -= 9; len > 0 && (*data == ' ' || *data == ';'); data++, len--);
 
 	if (len < 8 || strncasecmp(data, "name=\"", 6))
 		return 0;
 
-	for (data += 6, len -= 6, i = 0; i <= len; i++)
+	for (data += 6, len -= 6, i = 1; i < len; i++)
 	{
-		if (*(data + i) != '"')
-			continue;
-
-		for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
-			if (!strncmp(data, parts[j], i))
-				st.parttype = j;
+		if (data[i] == '"')
+		{
+			for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
+				if (!strncmp(data, parts[j], i - 1))
+					st.parttype = j;
 
-		break;
+			break;
+		}
 	}
 
 	return 0;
author	Jo-Philipp Wich	2022-08-10 19:43:08 +0000
committer	Jo-Philipp Wich	2022-08-10 19:43:34 +0000
commit	901b0f0463c9d16a8cf5b9ed37118d8484bc9176 (patch)
tree	e3cb646cdeab36b79a0315a95e5369f52e35cab5
parent	98cef9dda63623eff07bd574ad7c98ef282af18d (diff)
download	cgi-io-901b0f0463c9d16a8cf5b9ed37118d8484bc9176.tar.gz