moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Code Issues Releases Wiki Activity

unescape: avoid integer overflow

Browse Source 
CVE-2016-8622

Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
This commit is contained in:
Daniel Stenberg 2016-10-04 18:56:45 +02:00
parent c5be3d7267
commit 53e71e47d6
3 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/libcurl/curl_easy_unescape.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -40,7 +40,10 @@ will use strlen() on the input \fIurl\fP string to find out the size.
If \fBoutlength\fP is non-NULL, the function will write the length of the If \fBoutlength\fP is non-NULL, the function will write the length of the
returned string in the integer it points to. This allows an escaped string returned string in the integer it points to. This allows an escaped string
containing %00 to still get used properly after unescaping. containing %00 to still get used properly after unescaping. Since this is a
pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no
longer string can be unescaped if the string length is returned in this
parameter.
You must \fIcurl_free(3)\fP the returned string when you're done with it. You must \fIcurl_free(3)\fP the returned string when you're done with it.
.SH AVAILABILITY .SH AVAILABILITY

10
lib/dict.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -52,7 +52,7 @@
#include <curl/curl.h> #include <curl/curl.h>
#include "transfer.h" #include "transfer.h"
#include "sendf.h" #include "sendf.h"
#include "escape.h"
#include "progress.h" #include "progress.h"
#include "strequal.h" #include "strequal.h"
#include "dict.h" #include "dict.h"
@ -96,12 +96,12 @@ static char *unescape_word(struct Curl_easy *data, const char *inputbuff)
char *newp; char *newp;
char *dictp; char *dictp;
char *ptr; char *ptr;
int len; size_t len;
char ch; char ch;
int olen=0; int olen=0;
newp = curl_easy_unescape(data, inputbuff, 0, &len); CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE);
if(!newp) if(!newp || result)
return NULL; return NULL;
dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */

8
lib/escape.c
View File

@ -224,8 +224,14 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
FALSE); FALSE);
if(res) if(res)
return NULL; return NULL;
if(olen)
if(olen) {
if(outputlen <= (size_t) INT_MAX)
*olen = curlx_uztosi(outputlen); *olen = curlx_uztosi(outputlen);
else
/* too large to return in an int, fail! */
Curl_safefree(str);
}
} }
return str; return str;
} }