264388: Heap overflow in MSG_UnEscapeSearchUrl

bienvenu: review+, roc: superreview+

mailnews/news/src/nsNNTPProtocol.cpp

@@ -72,6 +72,7 @@
 #include "prlog.h"
 #include "prerror.h"
 #include "nsEscape.h"
+#include "nsString.h"
 
 #include "prprf.h"
 
@@ -325,33 +326,22 @@ static const char *XP_AppCodeName = "Mozilla";
 #endif
 #define NET_IS_SPACE(x) ((x)==' ' || (x)=='\t')
 
+// turn "\xx" (with xx being hex numbers) in string into chars
 char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
 {
-	char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);
-	if (result)
-	{
-		char *resultPtr = result;
-		while (1)
-		{
-			char ch = *commandSpecificData++;
-			if (!ch)
-				break;
-			if (ch == '\\')
-			{
-				char scratchBuf[3];
-				scratchBuf[0] = (char) *commandSpecificData++;
-				scratchBuf[1] = (char) *commandSpecificData++;
-				scratchBuf[2] = '\0';
-				int accum = 0;
-				PR_sscanf(scratchBuf, "%X", &accum);
-				*resultPtr++ = (char) accum;
-			}
-			else
-				*resultPtr++ = ch;
-		}
-		*resultPtr = '\0';
-	}
-	return result;
+  nsCAutoString result(commandSpecificData);
+  PRInt32 slashpos = 0;
+  while (slashpos = result.FindChar('\\', slashpos),
+         slashpos != kNotFound)
+  {
+    nsCAutoString hex;
+    hex.Assign(Substring(result, slashpos + 1, 2));
+    PRInt32 err, ch;
+    ch = hex.ToInteger(&err, 16);
+    result.Replace(slashpos, 3, err == NS_OK && ch != 0 ? (char) ch : 'X');
+    slashpos++;
+  }
+  return ToNewCString(result);
 }
 
 ////////////////////////////////////////////////////////////////////////////////////////////