From 7d02b225fe11fb0c7233cd2ea576485ee920f203 Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Sun, 12 Nov 2023 06:16:26 +0100
Subject: http.c: Fix several issues with partial boundaries

- Writing to m->boundary[len] did not make any sense, as len is not
meant to change between calls to read_mf_boundary_byte.
- For the same reason, memset(3)ing "len + 1" did not make any sense.
- When a partial boundary is found, http_memmem must still return st.
- Calling reset_boundary with prev == 0 did not make sense, since that
case typically means a partial boundary was found on a previous
iteration, so m->blen must not be reset.
---
 http.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/http.c b/http.c
index 0184c65..7440944 100644
--- a/http.c
+++ b/http.c
@@ -1496,16 +1496,21 @@ static int reset_boundary(struct http_ctx *const h, const void *const buf,
 {
     struct multiform *const m = &h->ctx.u.mf;
     struct form *const f = &m->forms[m->nforms - 1];
-    const size_t len = strlen(m->boundary);
     int (*const read_mf)(struct http_ctx *, const void *, size_t) =
-        f->filename ? read_mf_body_to_file : read_mf_body_to_mem;
-    const int res = read_mf(h, m->boundary, len);
+            f->filename ? read_mf_body_to_file : read_mf_body_to_mem;
 
-    if (res)
-        return res;
+    if (n)
+    {
+        const size_t len = strlen(m->boundary);
+        const int res = read_mf(h, m->boundary, len);
+
+        if (res)
+            return res;
+
+        memset(m->boundary, '\0', len);
+        m->blen = 0;
+    }
 
-    memset(m->boundary, '\0', len);
-    m->blen = 0;
     return read_mf(h, buf, n);
 }
 
@@ -1599,19 +1604,20 @@ static int read_mf_body_boundary_byte(struct http_ctx *const h, const char b,
 {
     struct ctx *const c = &h->ctx;
     struct multiform *const m = &c->u.mf;
+    const size_t clen = strlen(c->boundary);
 
     if (b == c->boundary[m->blen])
     {
-        m->boundary[len] = b;
+        m->boundary[m->blen++] = b;
 
-        if (++m->blen >= strlen(c->boundary))
+        if (m->blen >= clen)
         {
             /* Found intermediate boundary. */
             struct form *const f = &m->forms[m->nforms - 1];
             const int ret = f->filename ? apply_from_file(h, f)
                 : apply_from_mem(h, f);
 
-            memset(m->boundary, '\0', len + 1);
+            memset(m->boundary, '\0', clen);
             m->blen = 0;
             m->state = MF_END_BOUNDARY_CR_LINE;
             m->written = 0;
@@ -1657,7 +1663,7 @@ static const char *http_memmem(const char *const a, const void *const b,
         }
     }
 
-    return NULL;
+    return st;
 }
 
 static int read_mf_body_boundary(struct http_ctx *const h,
-- 
cgit v1.2.3