Bug fix submission for ne_path_escape

Pierre Crokaert pct at actl.be
Tue Oct 18 09:21:21 EDT 2011


When tracking down an out of memory problem in an embedded application 
using neon, I discovered a problem in the ne_uri.c file.
In the ne_path_escape function, the "count" computation leads to a value 
that can be significantly bigger than the actual value.
If the application frees the buffer returned by ne_path_escape, this can 
work, because the buffer is always large enough and if it is freed there 
is no memory leak.
But instead of returning, for example, a 400 bytes buffer, the function 
may allocate 1.7MBytes (or even more depending of the number of chars to 
escape, it grows very quickly). This can be an issue for the memory 
management or memory constrained systems.

Bellow is the fix against version 0.29.6


Pierre Crokaert

--- ne_uri_29.c    2011-10-18 15:03:06.719594001 +0200
+++ ne_uri_fix.c    2011-10-18 15:07:21.269594002 +0200
@@ -475,7 +475,7 @@

  /* CH must be an unsigned char; evaluates to 1 if CH should be
   * percent-encoded. */
-#define path_escape_ch(ch) (uri_lookup(ch) & URI_ESCAPE)
+#define path_escape_ch(ch) ((uri_lookup(ch) & URI_ESCAPE) ? 1 : 0)

  char *ne_path_escape(const char *path)
@@ -484,6 +484,8 @@
      size_t count = 0;

      for (pnt = (const unsigned char *)path; *pnt != '\0'; pnt++) {
+    // Bug: As path_escape_ch did not return 1, the actual count return 
could be way to big
+        //      - leading multi megabytes malloc when only few hundred 
bytes where required
          count += path_escape_ch(*pnt);

More information about the neon mailing list