From 6c4343a742c70ee8adb6ff7b1ab476976955e58c Mon Sep 17 00:00:00 2001
From: Michael Drake <tlsa@netsurf-browser.org>
Date: Sat, 22 Oct 2022 21:11:05 +0100
Subject: utils: ssl_certs: Fix potential snprintf overflow

---
 utils/ssl_certs.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

(limited to 'utils/ssl_certs.c')

diff --git a/utils/ssl_certs.c b/utils/ssl_certs.c
index d0f2a6c18..8546165ac 100644
--- a/utils/ssl_certs.c
+++ b/utils/ssl_certs.c
@@ -248,12 +248,23 @@ nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out )
 
 	urlstrlen = snprintf((char *)urlstr, allocsize, "about:certificate");
 	for (depth = 0; depth < chain->depth; depth++) {
+		int written;
 		nsuerror nsures;
 		size_t output_length;
 
-		urlstrlen += snprintf((char *)urlstr + urlstrlen,
-				      allocsize - urlstrlen,
-				      "&cert=");
+		written = snprintf((char *)urlstr + urlstrlen,
+					allocsize - urlstrlen,
+					"&cert=");
+		if (written < 0) {
+			free(urlstr);
+			return NSERROR_UNKNOWN;
+		}
+		if ((size_t)written >= allocsize - urlstrlen) {
+			free(urlstr);
+			return NSERROR_UNKNOWN;
+		}
+
+		urlstrlen += (size_t)written;
 
 		output_length = allocsize - urlstrlen;
 		nsures = nsu_base64_encode_url(
@@ -268,10 +279,20 @@ nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out )
 		urlstrlen += output_length;
 
 		if (chain->certs[depth].err != SSL_CERT_ERR_OK) {
-			urlstrlen += snprintf((char *)urlstr + urlstrlen,
-					      allocsize - urlstrlen,
-					      "&certerr=%d",
-					      chain->certs[depth].err);
+			written = snprintf((char *)urlstr + urlstrlen,
+					allocsize - urlstrlen,
+					"&certerr=%d",
+					chain->certs[depth].err);
+			if (written < 0) {
+				free(urlstr);
+				return NSERROR_UNKNOWN;
+			}
+			if ((size_t)written >= allocsize - urlstrlen) {
+				free(urlstr);
+				return NSERROR_UNKNOWN;
+			}
+
+			urlstrlen += (size_t)written;
 		}
 
 	}
-- 
cgit v1.2.3