libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard
verified publisher icon client9

Integer overflow(hs.token_len)

Open jzy2000 opened this issue 11 years ago • 1 comments

Test case: libinjection_xss("<%", 1); //call API with open tag following by percent. Note, string length is 1.

Cause: in libinjection_is_xss() token operation(reading in libinjection_h5_next(&h5) ) run out of boundary, led hs.token_len into overflow(i.e. hs.pos-hs.pos). Affects subsequent string operation relying on h5.token_len to fail (e.g. memchr(h5.token_start, '`', h5.token_len)).

jzy2000 avatar Jun 05 '14 03:06 jzy2000

hi thanks for the report. the XSS code has a number of these.
Im working on cleaning it up.

thanks for the test cast. That is helpful!

On Jun 5, 2014, at 12:36, jzy2000 [email protected] wrote:

Test case: libinjection_xss("<%", 1); //call API with open tag following by percent. Note, string length is 1.

Cause: in libinjection_is_xss() token operation(reading in libinjection_h5_next(&h5) ) run out of boundary, led hs.token_len into overflow(i.e. hs.pos-hs.pos). Affects subsequent string operation relying on h5.token_len to fail (e.g. memchr(h5.token_start, '`', h5.token_len)).

— Reply to this email directly or view it on GitHub.

client9 avatar Jun 06 '14 00:06 client9