url: disallow invalid IPv4 in IPv6 parser

Fixes: https://github.com/nodejs/node/issues/10655 PR-URL: https://github.com/nodejs/node/pull/12315 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Timothy Gu <timothygu99@gmail.com>
author: Daijiro Wachi <daijiro.wachi@gmail.com> 2017-04-14 18:12:16 +0200
committer: Daijiro Wachi <daijiro.wachi@gmail.com> 2017-04-14 18:12:16 +0200
commit: 1b99d8ffe9647aa075408b5551e81ef70242eec2 (patch)
tree: d263881ce614b54bf6bd5c658a8b3ece02d2db9d /src
parent: 1ae172b272f17fe8bb82a0f79b8d7e0bc2fb17ec (diff)
download: android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.gz
android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.bz2
android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.zip
1 files changed, 14 insertions, 12 deletions
diff --git a/src/node_url.cc b/src/node_url.cc
index 16a4cdd45b..39f56ece67 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -110,7 +110,7 @@ namespace url {
     uint16_t* compress_pointer = nullptr;
     const char* pointer = input;
     const char* end = pointer + length;
-    unsigned value, len, swaps, dots;
+    unsigned value, len, swaps, numbers_seen;
     char ch = pointer < end ? pointer[0] : kEOL;
     if (ch == ':') {
       if (length < 2 || pointer[1] != ':')
@@ -148,9 +148,17 @@ namespace url {
           ch = pointer < end ? pointer[0] : kEOL;
           if (piece_pointer > last_piece - 2)
             goto end;
-          dots = 0;
+          numbers_seen = 0;
           while (ch != kEOL) {
             value = 0xffffffff;
+            if (numbers_seen > 0) {
+              if (ch == '.' && numbers_seen < 4) {
+                pointer++;
+                ch = pointer < end ? pointer[0] : kEOL;
+              } else {
+                goto end;
+              }
+            }
             if (!ASCII_DIGIT(ch))
               goto end;
             while (ASCII_DIGIT(ch)) {
@@ -167,19 +175,13 @@ namespace url {
               pointer++;
               ch = pointer < end ? pointer[0] : kEOL;
             }
-            if (dots < 3 && ch != '.')
-              goto end;
             *piece_pointer = *piece_pointer * 0x100 + value;
-            if (dots & 0x1)
+            numbers_seen++;
+            if (numbers_seen == 2 || numbers_seen == 4)
               piece_pointer++;
-            if (ch != kEOL) {
-              pointer++;
-              ch = pointer < end ? pointer[0] : kEOL;
-            }
-            if (dots == 3 && ch != kEOL)
-              goto end;
-            dots++;
           }
+          if (numbers_seen != 4)
+            goto end;
           continue;
         case ':':
           pointer++;
author	Daijiro Wachi <daijiro.wachi@gmail.com>	2017-04-14 18:12:16 +0200
committer	Daijiro Wachi <daijiro.wachi@gmail.com>	2017-04-14 18:12:16 +0200
commit	1b99d8ffe9647aa075408b5551e81ef70242eec2 (patch)
tree	d263881ce614b54bf6bd5c658a8b3ece02d2db9d /src
parent	1ae172b272f17fe8bb82a0f79b8d7e0bc2fb17ec (diff)
download	android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.gz android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.bz2 android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.zip