globbing: fix segfault when >9 globs were used

Stupid lack of range checks caused the code to overwrite local variables after glob number nine. Added checks now. Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
2012-08-07 13:45:59 +02:00 · 2012-08-07 13:45:59 +02:00 · 73b1a965f7
parent 42e4c34ff3
commit 73b1a965f7
2 changed files with 12 additions and 3 deletions
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern,
  pat->content.Set.ptr_s = 0;
  pat->content.Set.elements = NULL;

-  ++glob->size;
+  if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+    return GLOB_ERROR;
+  }

  while(!done) {
    switch (*pattern) {
@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern,

  pat = &glob->pattern[glob->size / 2];
  /* patterns 0,1,2,... correspond to size=1,3,5,... */
-  ++glob->size;
+  if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+    return GLOB_ERROR;
+  }

  if(ISALPHA(*pattern)) {
    /* character range detected */
--- a/src/tool_urlglob.h
+++ b/src/tool_urlglob.h
@ -53,9 +53,12 @@ typedef struct {
  } content;
 } URLPattern;

+/* the total number of globs supported */
+#define GLOB_PATTERN_NUM 9
+
 typedef struct {
  char *literal[10];
-  URLPattern pattern[9];
+  URLPattern pattern[GLOB_PATTERN_NUM+1];
  size_t size;
  size_t urllen;
  char *glob_buffer;