[njs] Fixed open byte overread in decodeURI() and decodeURIComponent().

[noreply at nginx.com]

details:   https://hg.nginx.org/njs/rev/d67e5b627677
branches:  
changeset: 2352:d67e5b627677
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Thu Jun 06 23:10:12 2024 -0700
description:
Fixed open byte overread in decodeURI() and decodeURIComponent().

Found by OSS-Fuzz and MemorySanitizer.

diffstat:

 src/njs_string.c         |  2 +-
 src/test/njs_unit_test.c |  4 ++++
 2 files changed, 5 insertions(+), 1 deletions(-)

diffs (33 lines):

diff -r 993e28c8eb84 -r d67e5b627677 src/njs_string.c
--- a/src/njs_string.c	Wed Jun 05 18:23:18 2024 -0700
+++ b/src/njs_string.c	Thu Jun 06 23:10:12 2024 -0700
@@ -4074,7 +4074,7 @@ njs_string_decode_uri(njs_vm_t *vm, njs_
             n++;
         } while (((cp << n) & 0x80));
 
-        if (njs_slow_path(n > 4)) {
+        if (njs_slow_path(n > 4 || src + njs_length("%00") * (n - 1)  > end)) {
             goto uri_error;
         }
 
diff -r 993e28c8eb84 -r d67e5b627677 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Wed Jun 05 18:23:18 2024 -0700
+++ b/src/test/njs_unit_test.c	Thu Jun 06 23:10:12 2024 -0700
@@ -10016,13 +10016,17 @@ static njs_unit_test_t  njs_test[] =
               " '%',"
               " '%0',"
               " '%QQ',"
+              " '%C0%' + '0',"
               " '%C0%10',"
+              " '%C0%80',"
               " '%DC%C7',"
               " '%80%81%82',"
               " '%EF%5C%A0',"
               " '%EF%A0%5E',"
+              " '%E0%EF%' + '0',"
               " '%E0%EF%A0',"
               " '%E0%A0%EF',"
+              " '%F0%A2%95%' + '0',"
               " '%FF%A2%95%BB',"
               "].every(v=>{try { decodeURI(v)} catch(e) {return e.name == 'URIError'}})"),
       njs_str("true")},