fix: buffer overflow in multipart body proc

[airween]

what

This PR fixes a possible heap buffer overflow in multipart body processor.

why

There is a bug report, received in email from @fumfel and his team. Also they provided this fix.

references

The original report:

Root Cause
----------

Bug A: The condition checks *(p+1) and *(p+2) for hex digits. When
*(p+1) is the last byte before the null terminator, the short-circuit
evaluation of the || chain does NOT prevent *(p+2) from being read.
The condition (!isxdigit(*(p+1))) is false when *(p+1) is a hex digit,
so evaluation continues to (!isxdigit(*(p+2))) which reads past the
allocation.

Bug B: After the while loop that scans a quoted value, the code
unconditionally does p++ to skip the closing quote. But if the string
ended without a closing quote (the loop exited on *p == '\0'), this
advances the pointer past the null terminator, causing subsequent
reads to access out-of-bounds memory.

other notes

After a review and a short discussion, @fumfel and his team confirmed that this issue can occur if the source code was built with ASAN flags.

[Copilot]

Pull request overview

Fixes a potential out-of-bounds read/heap buffer overflow in multipart Content-Disposition parsing, based on an external bug report.

Changes:

• Adds an explicit *(p+2) == '\0' guard before validating the second hex digit in filename* percent-escapes.
• Avoids incrementing p past the string terminator when a quoted parameter value is missing a closing quote.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

If the quoted value runs to the end of the string without a closing quote, this now silently accepts the header and finishes parsing with p at \0. That’s safer than the previous OOB, but it likely violates the expected grammar for quoted parameters and can lead to inconsistent parsing/validation. Consider treating a missing closing quote as an error (e.g., return a specific negative code and/or set m_flag_invalid_quoting) instead of accepting it as valid.

Suggested change

	p++; /* go over the quote at the end */
	p++; /* go over the quote at the end */
	} else {
	m_flag_invalid_quoting = 1;
	return -15;

[Copilot]

The PR addresses out-of-bounds reads in Content-Disposition parsing; adding regression cases for (1) filename* values ending with an incomplete percent-escape (e.g. trailing %A) and (2) quoted values missing a terminating quote would help ensure this remains fixed (especially under ASAN/UBSAN).

Suggested change

	if (*p == quote) {
	p++; /* go over the quote at the end */
	}
	if (*p == '\0') {
	/* missing terminating quote */
	return -7;
	}
	p++; /* go over the quote at the end */

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud