memory overwrite issue for pacparser_find_proxy function #99
Description
The following piece of code was pacparser_find_proxy
// URL-encode "'" as we use single quotes to stick the URL into a temporary script.
char ***sanitized_url** = str_replace(url, "'", "%27");
// Hostname shouldn't have single quotes in them
if (strchr(host, '\'')) {
print_error("%s %s\n", error_prefix,
"Invalid hostname: hostname can't have single quotes.");
return NULL;
}
script = (char*) malloc(32 + strlen(**url**) + strlen(host));
script[0] = '\0';
strcat(script, "findProxyForURL('");
strcat(script, **sanitized_url**);
strcat(script, "', '");
strcat(script, host);
strcat(script, "')");
The above code using stelen(url) to calculate the length of the memory malloced, however, the sanitized_url could be larger than url since one single quote character would be replaced to three characters(%27)
If there are many single quotes in the input url, then it would cause memory overwrite issue.