Fix out-of-bound access in percent decode

6582160a · miloyip · bb0e8289 · 6582160a
Commit 6582160a authored May 03, 2015 by miloyip
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

pointer.h include/rapidjson/pointer.h +5 -3

No files found.
--- a/include/rapidjson/pointer.h
+++ b/include/rapidjson/pointer.h
@@ -425,7 +425,7 @@ private:
                if (uriFragment) {
                    // Decoding percent-encoding for URI fragment
                    if (c == '%') {
-                        PercentDecodeStream is(&source[i]);
+                        PercentDecodeStream is(&source[i], source + length);
                        GenericInsituStringStream<EncodingType> os(name);
                        Ch* begin = os.PutBegin();
                        Transcoder<UTF8<>, EncodingType> transcoder;
@@ -551,10 +551,11 @@ private:

    class PercentDecodeStream {
    public:
-        PercentDecodeStream(const Ch* source) : src_(source), head_(source), valid_(true) {}
+        PercentDecodeStream(const Ch* source, const Ch* end) : src_(source), head_(source), end_(end), valid_(true) {}

        Ch Take() {
-            if (*src_ != '%') {
+            // %XX triplet
+            if (src_ + 3 > end_ || *src_ != '%') {
                valid_ = false;
                return 0;
            }
@@ -582,6 +583,7 @@ private:
    private:
        const Ch* src_;     //!< Current read position.
        const Ch* head_;    //!< Original head of the string.
+        const Ch* end_;
        bool valid_;
    };