moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-02-28 17:31:46 -05:00
Code Issues Releases Wiki Activity

globbing: fix segfault when >9 globs were used

Browse Source 
Stupid lack of range checks caused the code to overwrite local variables
after glob number nine. Added checks now.

Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
This commit is contained in:
Daniel Stenberg 2012-08-07 13:45:59 +02:00
parent 42e4c34ff3
commit 73b1a965f7
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/tool_urlglob.c
View File

@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern,
pat->content.Set.ptr_s = 0; pat->content.Set.ptr_s = 0;
pat->content.Set.elements = NULL; pat->content.Set.elements = NULL;
++glob->size; if(++glob->size > (GLOB_PATTERN_NUM*2)) {
snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
return GLOB_ERROR;
}
while(!done) { while(!done) {
switch (*pattern) { switch (*pattern) {
@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern,
pat = &glob->pattern[glob->size / 2]; pat = &glob->pattern[glob->size / 2];
/* patterns 0,1,2,... correspond to size=1,3,5,... */ /* patterns 0,1,2,... correspond to size=1,3,5,... */
++glob->size; if(++glob->size > (GLOB_PATTERN_NUM*2)) {
snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
return GLOB_ERROR;
}
if(ISALPHA(*pattern)) { if(ISALPHA(*pattern)) {
/* character range detected */ /* character range detected */

5
src/tool_urlglob.h
View File

@ -53,9 +53,12 @@ typedef struct {
} content; } content;
} URLPattern; } URLPattern;
/* the total number of globs supported */
#define GLOB_PATTERN_NUM 9
typedef struct { typedef struct {
char *literal[10]; char *literal[10];
URLPattern pattern[9]; URLPattern pattern[GLOB_PATTERN_NUM+1];
size_t size; size_t size;
size_t urllen; size_t urllen;
char *glob_buffer; char *glob_buffer;