moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

curl_easy_escape: deny negative string lengths as input 

CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
This commit is contained in:
Daniel Stenberg 2016-09-08 22:59:54 +02:00
parent ffa0709a88
commit 826a9ced2b
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/escape.c
View File

@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length)
char *curl_easy_escape(struct Curl_easy *data, const char *string,
int inlength)
{
size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
size_t alloc;
char *ns;
char *testing_ptr = NULL;
unsigned char in; /* we need to treat the characters unsigned */
size_t newlen = alloc;
size_t newlen;
size_t strindex=0;
size_t length;
CURLcode result;
if(inlength < 0)
return NULL;
alloc = (inlength?(size_t)inlength:strlen(string))+1;
newlen = alloc;
ns = malloc(alloc);
if(!ns)
return NULL;