curl_unescape() did not stop at the set length properly when %-codes were

used
2024-11-21 01:16:58 +08:00 · 2000-11-21 19:01:53 +00:00 · 2000-11-21 19:01:53 +00:00 · b734bc37eb
commit b734bc37eb
parent 2c123051bb
1 changed files with 2 additions and 1 deletions
--- a/lib/escape.c
+++ b/lib/escape.c
@ -100,7 +100,7 @@ char *curl_unescape(char *string, int length)
                            the "query part" where '+' should become ' '.
                            RFC 2316, section 3.10 */
  
-   while(--alloc) {
+   while(--alloc > 0) {
      in = *string;
      if(querypart && ('+' == in))
         in = ' ';
@ -113,6 +113,7 @@ char *curl_unescape(char *string, int length)
        if(sscanf(string+1, "%02X", &hex)) {
          in = hex;
          string+=2;
+          alloc-=2;
        }
      }