From 12f54fe3b61f761c096fe95e95d5e3072af00ed2 Mon Sep 17 00:00:00 2001
From: "Kevin J. McCarthy" <kevin@8t8.us>
Date: Sat, 18 Apr 2026 22:40:46 +0800
Subject: [PATCH] Check for embedded nul in url_pct_decode().

Consider %00 an invalid character in a URL.

Thanks to evilrabbit@tutamail.com for the security report.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
---
 url.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/url.c b/url.c
index 19a52443..fddbc6f2 100644
--- a/url.c
+++ b/url.c
@@ -60,7 +60,9 @@ static int url_pct_decode (char *s)
       if (s[1] && s[2] &&
 	  isxdigit ((unsigned char) s[1]) &&
 	  isxdigit ((unsigned char) s[2]) &&
-	  hexval (s[1]) >= 0 && hexval (s[2]) >= 0)
+          hexval(s[1]) >= 0 && hexval(s[2]) >= 0 &&
+          // check for embedded nul
+          (hexval(s[1]) > 0 || hexval(s[2]) > 0))
       {
 	*d++ = (hexval (s[1]) << 4) | (hexval (s[2]));
 	s += 2;