From 269a88910436d730ac212f4dc01cbe6961338061 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 3 Oct 2016 18:23:22 +0200 Subject: [PATCH] glob_next_url: make sure to stay within the given output buffer --- src/tool_urlglob.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index 64c75ba4f..c45a78b21 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -431,6 +431,7 @@ CURLcode glob_url(URLGlob** glob, char* url, unsigned long *urlnum, glob_buffer = malloc(strlen(url) + 1); if(!glob_buffer) return CURLE_OUT_OF_MEMORY; + glob_buffer[0]=0; glob_expand = calloc(1, sizeof(URLGlob)); if(!glob_expand) { @@ -548,20 +549,25 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob) switch(pat->type) { case UPTSet: if(pat->content.Set.elements) { - len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]); snprintf(buf, buflen, "%s", pat->content.Set.elements[pat->content.Set.ptr_s]); + len = strlen(buf); buf += len; buflen -= len; } break; case UPTCharRange: - *buf++ = pat->content.CharRange.ptr_c; + if(buflen) { + *buf++ = pat->content.CharRange.ptr_c; + *buf = '\0'; + buflen--; + } break; case UPTNumRange: - len = snprintf(buf, buflen, "%0*ld", - pat->content.NumRange.padlength, - pat->content.NumRange.ptr_n); + snprintf(buf, buflen, "%0*ld", + pat->content.NumRange.padlength, + pat->content.NumRange.ptr_n); + len = strlen(buf); buf += len; buflen -= len; break; @@ -570,7 +576,6 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob) return CURLE_FAILED_INIT; } } - *buf = '\0'; *globbed = strdup(glob->glob_buffer); if(!*globbed)