1. clamav-devel
  2. Commit ca9c60681f41cdcd04113f6e62835b6785414b29
Browse code

fuzz - 12260 - fixing undefined shift issue when handling javascript escape sequences during hex to int conversion

Mickey Sola authored on 2019/01/16 02:11:23
Showing 1 changed files
libclamav/str.c
History View file @ ca9c606
... ... 
@@ -907,12 +907,14 @@ char *cli_unescape(const char *str)
907 907 
 			if(k+5 >= len || str[k+1] != 'u' || !isxdigit(str[k+2]) || !isxdigit(str[k+3])
908 908 
 						|| !isxdigit(str[k+4]) || !isxdigit(str[k+5])) {
909 909 
 				if(k+2 < len && isxdigit(str[k+1]) && isxdigit(str[k+2])) {
910 
-					c = (cli_hex2int(str[k+1])<<4) | cli_hex2int(str[k+2]);
910 
+                    c = ((cli_hex2int(str[k + 1]) < 0 ? 0 : cli_hex2int(str[k + 1])) << 4) | cli_hex2int(str[k + 2]);
911 911 
 					k += 2;
912 912 
 				}
913 913 
 			} else {
914 
-				uint16_t u = (cli_hex2int(str[k+2])<<12) | (cli_hex2int(str[k+3])<<8) |
915 
-					(cli_hex2int(str[k+4])<<4) | cli_hex2int(str[k+5]);
914 
+                uint16_t u = ((cli_hex2int(str[k + 2]) < 0 ? 0 : cli_hex2int(str[k + 2])) << 12) |
915 
+                             ((cli_hex2int(str[k + 3]) < 0 ? 0 : cli_hex2int(str[k + 3])) << 8)  |
916 
+                             ((cli_hex2int(str[k + 4]) < 0 ? 0 : cli_hex2int(str[k + 4])) << 4)  |
917 
+                               cli_hex2int(str[k + 5]);
916 918 
 				i += output_utf8(u, (unsigned char*)&R[i]);
917 919 
 				k += 5;
918 920 
 				continue;
... ... 
@@ -958,13 +960,15 @@ int cli_textbuffer_append_normalize(struct text_buffer *buf, const char *str, si
958 958 
 					break;
959 959 
 				case 'x':
960 960 
 					if(i+2 < len)
961 
-						c = (cli_hex2int(str[i+1])<<4)|cli_hex2int(str[i+2]);
961 
+                        c = ((cli_hex2int(str[i + 1]) < 0 ? 0 : cli_hex2int(str[i + 1])) << 4) | cli_hex2int(str[i + 2]);
962 962 
 					i += 2;
963 963 
 					break;
964 964 
 				case 'u':
965 965 
 					if(i+4 < len) {
966 
-						uint16_t u = (cli_hex2int(str[i+1])<<12) | (cli_hex2int(str[i+2])<<8) |
967 
-							(cli_hex2int(str[i+3])<<4) | cli_hex2int(str[i+4]);
966 
+                        uint16_t u = ((cli_hex2int(str[i + 1]) < 0 ? 0 : cli_hex2int(str[i + 1])) << 12) |
967 
+                                     ((cli_hex2int(str[i + 2]) < 0 ? 0 : cli_hex2int(str[i + 2])) << 8)  |
968 
+                                     ((cli_hex2int(str[i + 3]) < 0 ? 0 : cli_hex2int(str[i + 3])) << 4)  |
969 
+                                       cli_hex2int(str[i + 4]);
968 970 
 						if(textbuffer_ensure_capacity(buf, 4) == -1)
969 971 
 							return -1;
970 972 
 						buf->pos += output_utf8(u, (unsigned char*)&buf->data[buf->pos]);