incorrect handling of strings with null characters in memdupdec causes out of bounds write to adjacent memory region

[Fusl]

trurl seems to improperly handle strings with null characters in query string when trying to urldecode in memdupdec, causing an out of bounds write to the adjacent memory region right of the allocated memory region:

$ trurl 0?00%000000000000000000000=0000000000
=================================================================
==159412==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000209d0 at pc 0x55f6b63ca316 bp 0x7ffe5b1e83b0 sp 0x7ffe5b1e7b78
WRITE of size 10 at 0x6030000209d0 thread T0
    #0 0x55f6b63ca315 in __asan_memcpy (/trurl/trurl+0xf2315) (BuildId: 44a807945411d9d4)
    #1 0x55f6b6410e97 in memdupdec /src/trurl/trurl.c:1093:5
    #2 0x55f6b6410e97 in addqpair /src/trurl/trurl.c:1133:12
    #3 0x55f6b640b16a in extractqpairs /src/trurl/trurl.c:1171:7
    #4 0x55f6b640b16a in singleurl /src/trurl/trurl.c:1369:5
    #5 0x55f6b64078b8 in main /src/trurl/trurl.c:1544:9
    #6 0x7f174fe061c9  (/lib/x86_64-linux-gnu/libc.so.6+0x271c9) (BuildId: 51657f818beb1ae70372216a99b7412b8a100a20)
    #7 0x7f174fe06284 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27284) (BuildId: 51657f818beb1ae70372216a99b7412b8a100a20)
    #8 0x55f6b6331200 in _start (/trurl/trurl+0x59200) (BuildId: 44a807945411d9d4)

0x6030000209d0 is located 0 bytes after 32-byte region [0x6030000209b0,0x6030000209d0)

This bug was discovered with the help of AFL++ in combination with ASan.

[jacobmealey]

Ah i think i found the source of the bug. In memdupdec we update all null bytes in the right side of a query to be replaced with REPLACE_NULL_BYTE but this never is performed on the left side for some reason. I'll see if this quick patch also fixes the other issues you opened - though I don't suspect it will.

Thanks for digging into this!