From 5974d4b3feb7bcee7c9579d5959fa73665d85d82 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 2 Dec 2021 17:33:57 +0100
Subject: PROJ string parsing: fix unquoting of parameter values when the
 parameter name is just one single character

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41462
---
 src/internal.cpp | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

(limited to 'src/internal.cpp')

diff --git a/src/internal.cpp b/src/internal.cpp
index e934069f..b7648924 100644
--- a/src/internal.cpp
+++ b/src/internal.cpp
@@ -326,6 +326,31 @@ argument string, args, and count its number of elements.
 }
 
 
+static void unquote_string(char* param_str) {
+
+    size_t len = strlen(param_str);
+    // Remove leading and terminating spaces after equal sign
+    const char* equal = strstr(param_str, "=\"");
+    if( equal && equal - param_str + 1 >= 2 && param_str[len-1] == '"' ) {
+        size_t dst = equal + 1 - param_str;
+        size_t src = dst + 1;
+        for( ; param_str[src]; dst++, src++)
+        {
+            if( param_str[src] == '"' ) {
+                if( param_str[src+1] == '"' ) {
+                    src++;
+                } else {
+                    break;
+                }
+            }
+            param_str[dst] = param_str[src];
+        }
+        param_str[dst] = '\0';
+    }
+
+}
+
+
 
 /*****************************************************************************/
 char **pj_trim_argv (size_t argc, char *args) {
@@ -349,7 +374,6 @@ It is the duty of the caller to free this array.
     if (0==argc)
         return nullptr;
 
-
     /* turn the input string into an array of strings */
     char** argv = (char **) calloc (argc, sizeof (char *));
     if (nullptr==argv)
@@ -359,6 +383,7 @@ It is the duty of the caller to free this array.
         char* str = argv[j];
         size_t nLen = strlen(str);
         i += nLen + 1;
+        unquote_string(str);
     }
     return argv;
 }
@@ -370,7 +395,11 @@ std::string pj_double_quote_string_param_if_needed(const std::string& str) {
     if( str.find(' ') == std::string::npos ) {
         return str;
     }
-    return '"' + replaceAll(str, "\"", "\"\"") + '"';
+    std::string ret;
+    ret += '"';
+    ret += replaceAll(str, "\"", "\"\"");
+    ret += '"';
+    return ret;
 }
 
 /*****************************************************************************/
@@ -383,7 +412,6 @@ Allocates, and returns, an array of char, large enough to hold a whitespace
 separated copy of the args in argv. It is the duty of the caller to free this
 array.
 ******************************************************************************/
-
     try
     {
         std::string s;
-- 
cgit v1.2.3