moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-12 04:25:08 -05:00
Code Issues Releases Wiki Activity

range: reject char globs with missing end like '[L-]'

Browse Source 
... which previously would lead to out of boundary reads.

Reported-by: Luật Nguyễn
This commit is contained in:
Daniel Stenberg 2016-10-04 17:25:09 +02:00
parent 269a889104
commit ee4f76606c
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/tool_urlglob.c
View File

@ -188,13 +188,15 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
/* character range detected */ /* character range detected */
char min_c; char min_c;
char max_c; char max_c;
char end_c;
int step=1; int step=1;
pat->type = UPTCharRange; pat->type = UPTCharRange;
rc = sscanf(pattern, "%c-%c", &min_c, &max_c); rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
if((rc == 2) && (pattern[3] == ':')) { if(rc == 3) {
if(end_c == ':') {
char *endp; char *endp;
unsigned long lstep; unsigned long lstep;
errno = 0; errno = 0;
@ -208,12 +210,14 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
step = -1; step = -1;
} }
} }
else else if(end_c != ']')
pattern += 4; /* then this is wrong */
rc = 0;
}
*posp += (pattern - *patternp); *posp += (pattern - *patternp);
if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
(step <= 0) ) (step <= 0) )
/* the pattern is not well-formed */ /* the pattern is not well-formed */
return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);