[njs] A fix in decodeURI() and decodeURIComponent() functions.

[Igor Sysoev]

details:   http://hg.nginx.org/njs/rev/cec366d97854
branches:  
changeset: 211:cec366d97854
user:      Igor Sysoev <igor at sysoev.ru>
date:      Sat Oct 22 20:24:32 2016 +0300
description:
A fix in decodeURI() and decodeURIComponent() functions.

Found with afl-fuzz.

diffstat:

 njs/njs_string.c |  5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diffs (36 lines):

diff -r 7685bf403554 -r cec366d97854 njs/njs_string.c
--- a/njs/njs_string.c	Fri Oct 21 23:03:02 2016 +0300
+++ b/njs/njs_string.c	Sat Oct 22 20:24:32 2016 +0300
@@ -3070,7 +3070,6 @@ njs_string_decode(njs_vm_t *vm, njs_valu
         byte = *src++;
 
         if (byte == '%') {
-
             size -= 2;
 
             if (size <= 0) {
@@ -3117,6 +3116,8 @@ njs_string_decode(njs_vm_t *vm, njs_valu
         byte = *src++;
 
         if (byte == '%') {
+            size -= 2;
+
             d0 = hex[*src++];
             d1 = hex[*src++];
             byte = (d0 << 4) + d1;
@@ -3124,7 +3125,6 @@ njs_string_decode(njs_vm_t *vm, njs_valu
             utf8 |= (byte >= 0x80);
 
             if ((reserve[byte >> 5] & ((uint32_t) 1 << (byte & 0x1f))) != 0) {
-                size -= 2;
                 *dst++ = '%';
                 *dst++ = src[-2];
                 byte = src[-1];
@@ -3132,7 +3132,6 @@ njs_string_decode(njs_vm_t *vm, njs_valu
         }
 
         *dst++ = byte;
-
         size--;
 
     } while (size != 0);