[Backport] CVE-2020-6460

Don't decode invalid punycode in URL formatter Bug: 1063566 Change-Id: I631ba68718cf69c5972555d7826b089e27fa5150 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Mustafa Emre Acer <meacer@chromium.org> 2020-04-06 21:19:41 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2020-04-24 14:31:38 +0000
commit: 17dd703700e2316746cea0a08609909ab00cf3ed (patch)
tree: e2b7982fc8ff1f9bf36bd2155172575b24fb6a28
parent: 8154ce0fcad4dec874fa8d97ee4a0c8202d88f45 (diff)
download: qtwebengine-chromium-17dd703700e2316746cea0a08609909ab00cf3ed.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/components/url_formatter/url_formatter.cc b/chromium/components/url_formatter/url_formatter.cc
index 58cadb980bb..d7cc2ea441c 100644
--- a/chromium/components/url_formatter/url_formatter.cc
+++ b/chromium/components/url_formatter/url_formatter.cc
@@ -408,9 +408,11 @@ bool IDNToUnicodeOneComponent(const base::char16* comp,
     return false;
 
   // Early return if the input cannot be an IDN component.
+  // Valid punycode must not end with a dash.
   static const base::char16 kIdnPrefix[] = {'x', 'n', '-', '-'};
   if (comp_len <= base::size(kIdnPrefix) ||
-      memcmp(comp, kIdnPrefix, sizeof(kIdnPrefix)) != 0) {
+      memcmp(comp, kIdnPrefix, sizeof(kIdnPrefix)) != 0 ||
+      comp[comp_len - 1] == '-') {
     out->append(comp, comp_len);
     return false;
   }
author	Mustafa Emre Acer <meacer@chromium.org>	2020-04-06 21:19:41 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2020-04-24 14:31:38 +0000
commit	17dd703700e2316746cea0a08609909ab00cf3ed (patch)
tree	e2b7982fc8ff1f9bf36bd2155172575b24fb6a28
parent	8154ce0fcad4dec874fa8d97ee4a0c8202d88f45 (diff)
download	qtwebengine-chromium-17dd703700e2316746cea0a08609909ab00cf3ed.tar.gz