src: avoid OOB read in URL parser

addaleax · codebytere · commit a8824ae0a50f · 2020-06-18T09:54:23.000-07:00
This is not a big concern, because right now, all (non-test) inputs to the parser are `'\0'`-terminated, but we should be future-proof here and not perform these OOB reads. PR-URL: #33640 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
diff --git a/src/node_url.cc b/src/node_url.cc
@@ -1487,7 +1487,7 @@ void URL::Parse(const char* input,
             state = kSpecialRelativeOrAuthority;
           } else if (special) {
             state = kSpecialAuthoritySlashes;
-          } else if (p[1] == '/') {
+          } else if (p + 1 < end && p[1] == '/') {
             state = kPathOrAuthority;
             p++;
           } else {
@@ -1547,7 +1547,7 @@ void URL::Parse(const char* input,
         }
         break;
       case kSpecialRelativeOrAuthority:
-        if (ch == '/' && p[1] == '/') {
+        if (ch == '/' && p + 1 < end && p[1] == '/') {
           state = kSpecialAuthorityIgnoreSlashes;
           p++;
         } else {
@@ -1695,7 +1695,7 @@ void URL::Parse(const char* input,
         break;
       case kSpecialAuthoritySlashes:
         state = kSpecialAuthorityIgnoreSlashes;
-        if (ch == '/' && p[1] == '/') {
+        if (ch == '/' && p + 1 < end && p[1] == '/') {
           p++;
         } else {
           continue;
diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc
@@ -81,6 +81,26 @@ TEST_F(URLTest, Base3) {
   EXPECT_EQ(simple.path(), "/baz");
 }
 
+TEST_F(URLTest, TruncatedAfterProtocol) {
+  char input[2] = { 'q', ':' };
+  URL simple(input, sizeof(input));
+
+  EXPECT_FALSE(simple.flags() & URL_FLAGS_FAILED);
+  EXPECT_EQ(simple.protocol(), "q:");
+  EXPECT_EQ(simple.host(), "");
+  EXPECT_EQ(simple.path(), "/");
+}
+
+TEST_F(URLTest, TruncatedAfterProtocol2) {
+  char input[6] = { 'h', 't', 't', 'p', ':', '/' };
+  URL simple(input, sizeof(input));
+
+  EXPECT_TRUE(simple.flags() & URL_FLAGS_FAILED);
+  EXPECT_EQ(simple.protocol(), "http:");
+  EXPECT_EQ(simple.host(), "");
+  EXPECT_EQ(simple.path(), "");
+}
+
 TEST_F(URLTest, ToFilePath) {
 #define T(url, path) EXPECT_EQ(path, URL(url).ToFilePath())
   T("http://example.org/foo/bar", "");
