range: prevent negative end number in a glob range

CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
2016-10-03 17:27:16 +02:00 · 2016-10-03 17:27:16 +02:00 · fbb5f1aa03
parent 96a80b5a26
commit fbb5f1aa03
1 changed files with 7 additions and 0 deletions
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
        endp = NULL;
      else {
        pattern = endp+1;
+        while(*pattern && ISBLANK(*pattern))
+          pattern++;
+        if(!ISDIGIT(*pattern)) {
+          endp = NULL;
+          goto fail;
+        }
        errno = 0;
        max_n = strtoul(pattern, &endp, 10);
        if(errno || (*endp == ':')) {
@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
      }
    }

+    fail:
    *posp += (pattern - *patternp);

    if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)