Bug 595264: Fix an infinite loop in pkix_pl_InfoAccess_ParseTokens if the NSS_3_12_BRANCH
authorwtc%google.com
Thu, 16 Sep 2010 17:43:53 +0000
branchNSS_3_12_BRANCH
changeset 9818 e8aa744fcf94070bf7034aec18d6f968d1d157c9
parent 9805 fb18545e94eb6ae9c49e1b62a90e465f3b85d0ea
child 9819 2a927d5fafd1c3632c12f535a56cad9254bc1714
push idunknown
push userunknown
push dateunknown
bugs595264
Bug 595264: Fix an infinite loop in pkix_pl_InfoAccess_ParseTokens if the input contains a "%" hex hex escape sequence that's not the expected "%20". The patch is contributed by Adam Langley of Google <agl@chromium.org>. r=wtc,alexei. Tag: NSS_3_12_BRANCH
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -570,17 +570,16 @@ pkix_pl_InfoAccess_ParseTokens(
         char **startPos, /* return update */
         char ***tokens,
         char separator,
         char terminator,
         void *plContext)
 {
         PKIX_UInt32 len = 0;
         PKIX_UInt32 numFilters = 0;
-        PKIX_Int32 cmpResult = -1;
         char *endPos = NULL;
         char *p = NULL;
         char **filterP = NULL;
 
         PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseTokens");
         PKIX_NULLCHECK_THREE(arena, startPos, tokens);
 
         endPos = *startPos;
@@ -624,24 +623,22 @@ pkix_pl_InfoAccess_ParseTokens(
                     p = PORT_ArenaZAlloc(arena, len+1);
                     if (p == NULL) {
                         PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
                     }
 
                     *filterP = p;
 
                     while (len) {
-                            if (**startPos == '%') {
+                            if (**startPos == '%' &&
+                                strncmp(*startPos, "%20", 3) == 0) {
                             /* replace %20 by blank */
-                                cmpResult = strncmp(*startPos, "%20", 3);
-                                if (cmpResult == 0) {
-                                    *p = ' ';
-                                    *startPos += 3;
-                                    len -= 3;
-                                }
+                                *p = ' ';
+                                *startPos += 3;
+                                len -= 3;
                             } else {
                                 *p = **startPos;
                                 (*startPos)++;
                                 len--;
                             }
                             p++;
                     }