Fix heap overflow on uri parsing (#1185)

TingDaoK · web-flow · commit 5e6c08186fa5 · 2025-01-27T10:00:42.000-08:00
diff --git a/source/uri.c b/source/uri.c
@@ -282,8 +282,9 @@ static void s_parse_scheme(struct uri_parser *parser, struct aws_byte_cursor *st
         return;
     }
 
-    /* make sure we didn't just pick up the port by mistake */
-    if ((size_t)(location_of_colon - str->ptr) < str->len && *(location_of_colon + 1) != '/') {
+    /* Ensure location_of_colon is not the last character before checking *(location_of_colon + 1) */
+    if ((size_t)(location_of_colon - str->ptr) + 1 >= str->len || *(location_of_colon + 1) != '/') {
+        /* make sure we didn't just pick up the port by mistake */
         parser->state = ON_AUTHORITY;
         return;
     }
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -513,6 +513,7 @@ add_test_case(uri_ipv4_parse)
 add_test_case(uri_invalid_scheme_parse)
 add_test_case(uri_invalid_port_parse)
 add_test_case(uri_port_too_large_parse)
+add_test_case(uri_single_colon_parse)
 add_test_case(uri_builder)
 add_test_case(uri_builder_from_string)
 add_test_case(test_uri_encode_path_rfc3986)
diff --git a/tests/uri_test.c b/tests/uri_test.c
@@ -593,6 +593,18 @@ static int s_test_uri_port_too_large_parse(struct aws_allocator *allocator, void
 
 AWS_TEST_CASE(uri_port_too_large_parse, s_test_uri_port_too_large_parse);
 
+static int s_test_uri_single_colon_parse(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    const char *str_uri = ":";
+    struct aws_byte_cursor uri_csr = aws_byte_cursor_from_array(str_uri, 1);
+    struct aws_uri uri;
+    ASSERT_SUCCESS(aws_uri_init_parse(&uri, allocator, &uri_csr));
+    aws_uri_clean_up(&uri);
+    return AWS_OP_SUCCESS;
+}
+
+AWS_TEST_CASE(uri_single_colon_parse, s_test_uri_single_colon_parse);
+
 static int s_test_uri_builder(struct aws_allocator *allocator, void *ctx) {
     (void)ctx;
     const char *str_uri =

Original file line number	Diff line number	Diff line change
`@@ -282,8 +282,9 @@ static void s_parse_scheme(struct uri_parser parser, struct aws_byte_cursor st`
`282`	`282`	`return;`
`283`	`283`	`}`
`284`	`284`
`285`		`- /* make sure we didn't just pick up the port by mistake */`
`286`		`- if ((size_t)(location_of_colon - str->ptr) < str->len && *(location_of_colon + 1) != '/') {`
	`285`	`+ /* Ensure location_of_colon is not the last character before checking (location_of_colon + 1) /`
	`286`	`+ if ((size_t)(location_of_colon - str->ptr) + 1 >= str->len \|\| *(location_of_colon + 1) != '/') {`
	`287`	`+ /* make sure we didn't just pick up the port by mistake */`
`287`	`288`	`parser->state = ON_AUTHORITY;`
`288`	`289`	`return;`
`289`	`290`	`}`