From f8b183d8e96edabedea51ed712f12a3702e425fe Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 17 Jan 2020 13:01:25 +0000
Subject: [PATCH] [Minor] Another try to fix urls shifting when decoding

---
 src/libserver/url.c   | 17 +++++++++++++----
 test/lua/unit/url.lua |  4 ++++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/libserver/url.c b/src/libserver/url.c
index 866cb4c22..648e0e103 100644
--- a/src/libserver/url.c
+++ b/src/libserver/url.c
@@ -1781,6 +1781,7 @@ rspamd_url_shift (struct rspamd_url *uri, gsize nlen,
 		enum http_parser_url_fields field)
 {
 	guint old_shift, shift = 0;
+	gint remain;
 
 	/* Shift remaining data */
 	switch (field) {
@@ -1794,8 +1795,10 @@ rspamd_url_shift (struct rspamd_url *uri, gsize nlen,
 
 		old_shift = uri->protocollen;
 		uri->protocollen -= shift;
+		remain = uri->urllen - uri->protocollen;
+		g_assert (remain >= 0);
 		memmove (uri->string + uri->protocollen, uri->string + old_shift,
-				uri->urllen - uri->protocollen);
+				remain);
 		uri->urllen -= shift;
 		uri->flags |= RSPAMD_URL_FLAG_SCHEMAENCODED;
 		break;
@@ -1809,8 +1812,10 @@ rspamd_url_shift (struct rspamd_url *uri, gsize nlen,
 
 		old_shift = uri->hostlen;
 		uri->hostlen -= shift;
+		remain = (uri->urllen - (uri->host - uri->string)) - uri->hostlen;
+		g_assert (remain >= 0);
 		memmove (uri->host + uri->hostlen, uri->host + old_shift,
-				uri->datalen + uri->querylen + uri->fragmentlen + 1);
+				remain);
 		uri->urllen -= shift;
 		uri->flags |= RSPAMD_URL_FLAG_HOSTENCODED;
 		break;
@@ -1824,8 +1829,10 @@ rspamd_url_shift (struct rspamd_url *uri, gsize nlen,
 
 		old_shift = uri->datalen;
 		uri->datalen -= shift;
+		remain = (uri->urllen - (uri->data - uri->string)) - uri->datalen;
+		g_assert (remain >= 0);
 		memmove (uri->data + uri->datalen, uri->data + old_shift,
-				uri->querylen + uri->fragmentlen + 1);
+				remain);
 		uri->urllen -= shift;
 		uri->flags |= RSPAMD_URL_FLAG_PATHENCODED;
 		break;
@@ -1839,8 +1846,10 @@ rspamd_url_shift (struct rspamd_url *uri, gsize nlen,
 
 		old_shift = uri->querylen;
 		uri->querylen -= shift;
+		remain = (uri->urllen - (uri->query - uri->string)) - uri->querylen;
+		g_assert (remain >= 0);
 		memmove (uri->query + uri->querylen, uri->query + old_shift,
-				uri->fragmentlen + 1);
+				remain);
 		uri->urllen -= shift;
 		uri->flags |= RSPAMD_URL_FLAG_QUERYENCODED;
 		break;
diff --git a/test/lua/unit/url.lua b/test/lua/unit/url.lua
index 7f337c8b2..3c56713d2 100644
--- a/test/lua/unit/url.lua
+++ b/test/lua/unit/url.lua
@@ -56,6 +56,10 @@ context("URL check functions", function()
   end
 
   cases = {
+    {'http://example.net/hello%20world.php?arg=x#fragment', true, {
+      host = 'example.net', fragment = 'fragment', query = 'arg=x',
+      path = 'hello world.php',
+    }},
     {'http://example.net/?arg=%23#fragment', true, {
       host = 'example.net', fragment = 'fragment', query = 'arg=#',
     }},
-- 
2.39.5