moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Code Issues Releases Wiki Activity

curl_easy_unescape: deny negative string lengths as input

Browse Source 
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
This commit is contained in:
Daniel Stenberg 2016-09-13 23:00:50 +02:00
parent 826a9ced2b
commit 01cf1308ee
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/escape.c
View File

@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
int length, int *olen) int length, int *olen)
{ {
char *str = NULL; char *str = NULL;
size_t inputlen = length; if(length >= 0) {
size_t outputlen; size_t inputlen = length;
CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, size_t outputlen;
FALSE); CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
if(res) FALSE);
return NULL; if(res)
if(olen) return NULL;
*olen = curlx_uztosi(outputlen); if(olen)
*olen = curlx_uztosi(outputlen);
}
return str; return str;
} }