From fd02f5f0832dd524352d11f77bc0fccf6ecc0047 Mon Sep 17 00:00:00 2001
From: Christophe CURIS <christophe.curis@free.fr>
Date: Sat, 4 May 2013 15:43:28 +0200
Subject: [PATCH] WUtil: Fixed risky code for de-escaping of strings

The internal function 'unescapestr' is used to transform strings which
may contain escape sequences (\x) into their plain representation.

There are a few cases where the function can misbehave (typically parse
after the end of string, thus writing past the end of the reserved
result area) which can be a source of problem later. The new code
should be safer.
---
 WINGs/proplist.c | 39 ++++++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/WINGs/proplist.c b/WINGs/proplist.c
index 1243354b..bb5e0577 100644
--- a/WINGs/proplist.c
+++ b/WINGs/proplist.c
@@ -508,16 +508,33 @@ static char *unescapestr(const char *src)
 	char *dPtr;
 	char ch;
 
-	for (dPtr = dest; *src; src++, dPtr++) {
-		if (*src != '\\') {
-			*dPtr = *src;
-		} else {
-			ch = *(++src);
-			if ((ch >= '0') && (ch <= '3')) {
-				/* assume next 2 chars are octal too */
-				*dPtr = ((ch & 07) << 6);
-				*dPtr |= ((*(++src) & 07) << 3);
-				*dPtr |= *(++src) & 07;
+	for (dPtr = dest; ; dPtr++) {
+		ch = *src++;
+		if (ch == '\0')
+			break;
+		else if (ch != '\\')
+			*dPtr = ch;
+		else {
+			ch = *(src++);
+			if (ch == '\0') {
+				*dPtr = '\\';
+				break;
+			} else if ((ch >= '0') && (ch <= '7')) {
+				char wch;
+
+				/* Convert octal number to character */
+				wch = (ch & 07);
+				ch = *src;
+				if ((ch >= '0') && (ch <= '7')) {
+					src++;
+					wch = (wch << 3) | (ch & 07);
+					ch = *src;
+					if ((ch >= '0') && (ch <= '7')) {
+						src++;
+						wch = (wch << 3) | (ch & 07);
+					}
+				}
+				*dPtr = wch;
 			} else {
 				switch (ch) {
 				case 'a':
@@ -542,7 +559,7 @@ static char *unescapestr(const char *src)
 					*dPtr = '\f';
 					break;
 				default:
-					*dPtr = *src;
+					*dPtr = ch;
 				}
 			}
 		}
-- 
2.11.4.GIT