forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2016-7167.patch
74 lines (67 loc) · 2.03 KB
/
CVE-2016-7167.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Thu, 8 Sep 2016 22:59:54 +0200
Subject: [PATCH] CVE-2016-7167: deny negative string length inputs
Bug: https://curl.haxx.se/docs/adv_20160914.html
---
lib/escape.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/lib/escape.c b/lib/escape.c
index 04230b4..e61260d 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -76,19 +76,25 @@ char *curl_unescape(const char *string, int length)
}
char *curl_easy_escape(struct Curl_easy *data, const char *string,
int inlength)
{
- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
+ size_t alloc;
char *ns;
char *testing_ptr = NULL;
unsigned char in; /* we need to treat the characters unsigned */
- size_t newlen = alloc;
+ size_t newlen;
size_t strindex=0;
size_t length;
CURLcode result;
+ if(inlength < 0)
+ return NULL;
+
+ alloc = (inlength?(size_t)inlength:strlen(string))+1;
+ newlen = alloc;
+
ns = malloc(alloc);
if(!ns)
return NULL;
length = alloc-1;
@@ -209,18 +215,20 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
*/
char *curl_easy_unescape(struct Curl_easy *data, const char *string,
int length, int *olen)
{
char *str = NULL;
- size_t inputlen = length;
- size_t outputlen;
- CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
- FALSE);
- if(res)
- return NULL;
- if(olen)
- *olen = curlx_uztosi(outputlen);
+ if(length >= 0) {
+ size_t inputlen = length;
+ size_t outputlen;
+ CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
+ FALSE);
+ if(res)
+ return NULL;
+ if(olen)
+ *olen = curlx_uztosi(outputlen);
+ }
return str;
}
/* For operating systems/environments that use different malloc/free
systems for the app and for this library, we provide a free that uses
--
2.9.3