Bounds checking error in talk_base::UrlEncode

[GoogleCodeExporter]

what I found is a bug in the source code.

in file:urlencode.cc 

function of urlencode, programmer forget ++len, take a look under below.

int UrlEncode(const char *source, char *dest, unsigned max)  
{
  static const char *digits = "0123456789ABCDEF";
  unsigned char ch;
  unsigned len = 0;
  char *start = dest;

  while (len < max - 4 && *source)
  {
    ch = (unsigned char)*source;
    if (*source == ' ') {
      *dest++ = '+';
    }
    else if (isalnum(ch) || strchr("-_.!~*'()", ch)) {
      *dest++ = *source;
    }
    else {
      *dest++ = '%';
      *dest++ = digits[(ch >> 4) & 0x0F];
      *dest++ = digits[       ch & 0x0F];
    }  
    source++;
    ///////////////////
    //should ++len, otherwise if lens of dest less than source, memory
    //will overwrite.
  }
  *dest = 0;
  return start - dest;
}

Original issue reported on code.google.com by confused...@gmail.com on 26 Mar 2009 at 1:48

[GoogleCodeExporter]

Original comment by juberti@google.com on 9 Sep 2011 at 7:26

• Changed title: Bounds checking error in talk_base::UrlEncode
• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Please take a look at this and see if it's valid.

Original comment by juberti@google.com on 8 Dec 2011 at 9:45

[GoogleCodeExporter]

Peter, did you have a chance to look at this?

Original comment by juberti@google.com on 21 Dec 2011 at 11:22

[GoogleCodeExporter]

Sorry.  Just looked at it.  It looks correct.  I'll make a change to fix it.

Original comment by pthatc...@google.com on 21 Dec 2011 at 11:36

[GoogleCodeExporter]

Nevermind.  It was fixed with libjingle 0.5.

Original comment by pthatc...@google.com on 21 Dec 2011 at 11:47

• Changed state: Fixed