From 737e1bef50657dca6179dcf53fef3217e12f0e88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@des.no>
Date: Thu, 19 Mar 2015 00:07:19 +0000
Subject: [PATCH] Increment by three, not one, after successfully decoding a
 character. Add a boundary check.

git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@858 185d5e19-27fe-0310-9dcf-9bff6b9f3609
---
 lib/liboath/oath_uri_decode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/liboath/oath_uri_decode.c b/lib/liboath/oath_uri_decode.c
index 1a9beac..c9d8acc 100644
--- a/lib/liboath/oath_uri_decode.c
+++ b/lib/liboath/oath_uri_decode.c
@@ -58,12 +58,13 @@ oath_uri_decode(const char *in, size_t ilen, char *out, size_t olen)
 	if (ilen == 0)
 		ilen = strlen(in);
 	for (ipos = opos = 0; ipos < ilen && in[ipos] != '\0'; ++ipos, ++opos) {
-		if (in[ipos] == '%' &&
+		if (in[ipos] == '%' && ipos + 2 < ilen &&
 		    is_xdigit(in[ipos + 1]) && is_xdigit(in[ipos + 2])) {
 			if (out != NULL && opos < olen - 1)
 				out[opos] = unhex(in[ipos + 1]) * 16 +
 				    unhex(in[ipos + 2]);
 			ilen += 2;
+			ipos += 2;
 		} else {
 			if (out != NULL && opos < olen - 1)
 				out[opos] = in[ipos];