From 5a4fce56ecce3e02d926bd0fb582a50ea3368f50 Mon Sep 17 00:00:00 2001
From: emaste <emaste@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Sun, 8 Mar 2020 16:53:46 +0000
Subject: [PATCH] MFC r357212: libfetch: fix urldecode buffer overrun

Reported by:	Duncan Overbruck
Security:	CVE-2020-7450


git-svn-id: svn://svn.freebsd.org/base/stable/9@358741 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 lib/libfetch/fetch.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/libfetch/fetch.c b/lib/libfetch/fetch.c
index 8d92bbcb7..c4e41a5fa 100644
--- a/lib/libfetch/fetch.c
+++ b/lib/libfetch/fetch.c
@@ -327,6 +327,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
 		}
 		if (dlen-- > 0)
 			*dst++ = c;
+		else
+			return (NULL);
 	}
 	return (s);
 }
@@ -373,11 +375,15 @@ fetchParseURL(const char *URL)
 	if (p && *p == '@') {
 		/* username */
 		q = fetch_pctdecode(u->user, URL, URL_USERLEN);
+		if (q == NULL)
+			goto ouch;
 
 		/* password */
-		if (*q == ':')
+		if (*q == ':') {
 			q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN);
-
+			if (q == NULL)
+				goto ouch;
+		}
 		p++;
 	} else {
 		p = URL;
-- 
2.42.0