From: Matthew Nicholson <mnicholson@digium.com>
Date: Tue, 11 Jan 2011 18:42:05 +0000 (+0000)
Subject: Merged revisions 301305 via svnmerge from
X-Git-Tag: 1.6.2.17-rc1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=423fa1a8757a81b5d0d9c331f5d51bfe8d6b2b2c;p=thirdparty%2Fasterisk.git

Merged revisions 301305 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r301305 | mnicholson | 2011-01-11 12:34:40 -0600 (Tue, 11 Jan 2011) | 4 lines

  Prevent buffer overflows in ast_uri_encode()

  ABE-2705
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@301307 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/main/utils.c b/main/utils.c
index 4fe4984b2c..871784563a 100644
--- a/main/utils.c
+++ b/main/utils.c
@@ -386,28 +386,27 @@ char *ast_uri_encode(const char *string, char *outbuf, int buflen, int doreserve
 	char *reserved = ";/?:@&=+$,# ";	/* Reserved chars */
 
  	const char *ptr  = string;	/* Start with the string */
-	char *out = NULL;
-	char *buf = NULL;
+	char *out = outbuf;
 
-	ast_copy_string(outbuf, string, buflen);
-
-	/* If there's no characters to convert, just go through and don't do anything */
-	while (*ptr) {
+	/* If there's no characters to convert, just go through and copy the string */
+	while (*ptr && out - outbuf < buflen - 1) {
 		if ((*ptr < 32) || (doreserved && strchr(reserved, *ptr))) {
-			/* Oops, we need to start working here */
-			if (!buf) {
-				buf = outbuf;
-				out = buf + (ptr - string) ;	/* Set output ptr */
+			if (out - outbuf >= buflen - 3) {
+				break;
 			}
+
 			out += sprintf(out, "%%%02x", (unsigned char) *ptr);
-		} else if (buf) {
-			*out = *ptr;	/* Continue copying the string */
+		} else {
+			*out = *ptr;	/* copy the character */
 			out++;
-		} 
+		}
 		ptr++;
 	}
-	if (buf)
+
+	if (buflen) {
 		*out = '\0';
+	}
+
 	return outbuf;
 }