diff options
author | Mustafa Emre Acer <meacer@chromium.org> | 2020-04-06 21:19:41 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-04-24 14:31:38 +0000 |
commit | 17dd703700e2316746cea0a08609909ab00cf3ed (patch) | |
tree | e2b7982fc8ff1f9bf36bd2155172575b24fb6a28 | |
parent | 8154ce0fcad4dec874fa8d97ee4a0c8202d88f45 (diff) | |
download | qtwebengine-chromium-17dd703700e2316746cea0a08609909ab00cf3ed.tar.gz |
[Backport] CVE-2020-6460
Don't decode invalid punycode in URL formatter
Bug: 1063566
Change-Id: I631ba68718cf69c5972555d7826b089e27fa5150
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/components/url_formatter/url_formatter.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/components/url_formatter/url_formatter.cc b/chromium/components/url_formatter/url_formatter.cc index 58cadb980bb..d7cc2ea441c 100644 --- a/chromium/components/url_formatter/url_formatter.cc +++ b/chromium/components/url_formatter/url_formatter.cc @@ -408,9 +408,11 @@ bool IDNToUnicodeOneComponent(const base::char16* comp, return false; // Early return if the input cannot be an IDN component. + // Valid punycode must not end with a dash. static const base::char16 kIdnPrefix[] = {'x', 'n', '-', '-'}; if (comp_len <= base::size(kIdnPrefix) || - memcmp(comp, kIdnPrefix, sizeof(kIdnPrefix)) != 0) { + memcmp(comp, kIdnPrefix, sizeof(kIdnPrefix)) != 0 || + comp[comp_len - 1] == '-') { out->append(comp, comp_len); return false; } |