From 788a49af9c150f1dbf110230352e7b1324dfe3b4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Wilfried=20G=C3=B6esgens?= <willi@citadel.org>
Date: Mon, 5 May 2008 21:23:10 +0000
Subject: [PATCH] * sanitize cookie stuff

---
 webcit/cookie_conversion.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/webcit/cookie_conversion.c b/webcit/cookie_conversion.c
index 328d72fe1..fd3082b79 100644
--- a/webcit/cookie_conversion.c
+++ b/webcit/cookie_conversion.c
@@ -35,7 +35,7 @@ void stuff_to_cookie(char *cookie, size_t clen, int session,
 
 	len = snprintf(buf, SIZ, "%d|%s|%s|%s|", session, user, pass, room);
 	strcpy(cookie, "");
-	for (i=0; i<len; ++i) {
+	for (i=0; (i < len) && (i * 2 < clen); ++i) {
 		snprintf(&cookie[i*2], clen - i * 2, "%02X", buf[i]);
 	}
 }
@@ -50,13 +50,18 @@ int xtoi(char *in, size_t len)
 {
 	int val = 0;
 	char c = 0;
-	while (isxdigit((byte) *in) && (len-- > 0))
+	while (!IsEmptyStr(in) && isxdigit((byte) *in) && (len-- > 0))
 	{
 		c = *in++;
 		val <<= 4;
-		val += isdigit((unsigned char)c)
-	    	? (c - '0')
-		: (tolower((unsigned char)c) - 'a' + 10);
+		if (!isdigit((unsigned char)c)) {
+			c = tolower((unsigned char) c);
+			if ((c < 'a') || (c > 'f'))
+				return 0;
+			val += c  - 'a' + 10 ;
+		}
+		else
+			val += c - '0';
 	}
 	return val;
 }
@@ -81,7 +86,7 @@ void cookie_to_stuff(char *cookie, int *session,
 	int i, len;
 
 	strcpy(buf, "");
-	len = strlen(cookie) * 2 ;
+	len = strlen(cookie) / 2;
 	for (i=0; i<len; ++i) {
 		buf[i] = xtoi(&cookie[i*2], 2);
 		buf[i+1] = 0;
-- 
2.30.2