diff --git a/picohttpparser.c b/picohttpparser.c index 5e5783a..f2679ab 100644 --- a/picohttpparser.c +++ b/picohttpparser.c @@ -557,6 +557,18 @@ ssize_t phr_decode_chunked(struct phr_chunked_decoder *decoder, char *buf, size_ ret = -1; goto Exit; } + /* the only characters that may appear after the chunk size are BWS, semicolon, or CRLF */ + switch (buf[src]) { + case ' ': + case '\011': + case ';': + case '\012': + case '\015': + break; + default: + ret = -1; + goto Exit; + } break; } if (decoder->_hex_count == sizeof(size_t) * 2) { diff --git a/test.c b/test.c index 2c589f3..3c32974 100644 --- a/test.c +++ b/test.c @@ -410,6 +410,7 @@ static void test_chunked(void) chunked_test_runners[i](__LINE__, 0, "b\r\nhello world\r\n0\r\n", "hello world", 0); chunked_test_runners[i](__LINE__, 0, "6\r\nhello \r\n5\r\nworld\r\n0\r\n", "hello world", 0); chunked_test_runners[i](__LINE__, 0, "6;comment=hi\r\nhello \r\n5\r\nworld\r\n0\r\n", "hello world", 0); + chunked_test_runners[i](__LINE__, 0, "6 ; comment\r\nhello \r\n5\r\nworld\r\n0\r\n", "hello world", 0); chunked_test_runners[i](__LINE__, 0, "6\r\nhello \r\n5\r\nworld\r\n0\r\na: b\r\nc: d\r\n\r\n", "hello world", sizeof("a: b\r\nc: d\r\n\r\n") - 1); chunked_test_runners[i](__LINE__, 0, "b\r\nhello world\r\n0\r\n", "hello world", 0); @@ -421,6 +422,7 @@ static void test_chunked(void) test_chunked_failure(__LINE__, "6\r\nhello \r\nffffffffffffffff\r\nabcdefg", -2); test_chunked_failure(__LINE__, "6\r\nhello \r\nfffffffffffffffff\r\nabcdefg", -1); } + test_chunked_failure(__LINE__, "1x\r\na\r\n0\r\n", -1); } static void test_chunked_consume_trailer(void)