1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 05:58:01 -05:00
curl/lib
Tobias Stoeckmann 8829703b5a mprintf: Fix stack overflows
Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:43:00 -04:00
..
vauth ntlm: free target_info before (re-)malloc 2020-07-26 23:48:36 +02:00
vquic ngtcp2: adjust to recent sockaddr updates 2020-07-16 23:56:42 +02:00
vssh libssh2: keep sftp errors as 'unsigned long' 2020-06-08 08:38:48 +02:00
vtls nss: fix build with disabled proxy support 2020-07-14 23:42:20 +02:00
.gitattributes
.gitignore
altsvc.c altsvc: bump to h3-29 2020-06-19 23:29:26 +02:00
altsvc.h altsvc: remove the num field from the altsvc struct 2020-06-12 23:24:11 +02:00
amigaos.c
amigaos.h
arpa_telnet.h
asyn-ares.c timeouts: move ms timeouts to timediff_t from int and long 2020-06-06 20:05:58 +02:00
asyn-thread.c build: disable more code/data when built without proxy support 2020-05-30 23:18:16 +02:00
asyn.h asyn.h: remove the Curl_resolver_getsock define 2020-07-12 18:06:50 +02:00
base64.c base64: check for SSH, not specific SSH backends 2019-08-17 16:57:56 +02:00
checksrc.pl wording: avoid blacklist/whitelist stereotypes 2020-06-10 08:49:17 +02:00
CMakeLists.txt cmake: add aliases so exported target names are available in tree 2020-04-13 23:27:35 +02:00
config-amigaos.h copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
config-dos.h lib: never define CURL_CA_BUNDLE with a getenv 2020-04-05 23:59:20 +02:00
config-mac.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
config-os400.h config: remove all defines of HAVE_DES_H 2020-03-24 17:54:26 +01:00
config-plan9.h build: remove all HAVE_OPENSSL_ENGINE_H defines 2020-03-01 11:06:28 +01:00
config-riscos.h config: remove all defines of HAVE_DES_H 2020-03-24 17:54:26 +01:00
config-symbian.h config: remove all defines of HAVE_DES_H 2020-03-24 17:54:26 +01:00
config-tpf.h config: remove all defines of HAVE_DES_H 2020-03-24 17:54:26 +01:00
config-vxworks.h config: remove all defines of HAVE_DES_H 2020-03-24 17:54:26 +01:00
config-win32.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
config-win32ce.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
conncache.c conncache: download buffer needs +1 size for trailing zero 2020-05-31 17:45:57 +02:00
conncache.h conncache: various concept cleanups 2020-04-30 14:27:54 +02:00
connect.c connect: improve happy eyeballs handling 2020-06-18 00:20:42 +02:00
connect.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
content_encoding.c content_encoding: add zstd decoding support 2020-07-12 18:11:37 +02:00
content_encoding.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
cookie.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
cookie.h cookies: change argument type for Curl_flush_cookies 2019-10-03 22:56:28 +02:00
curl_addrinfo.c Curl_addrinfo: use one malloc instead of three 2020-06-08 16:10:53 +02:00
curl_addrinfo.h copyright: updated year ranges out of sync 2020-05-24 00:02:33 +02:00
curl_base64.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_config.h.cmake content_encoding: add zstd decoding support 2020-07-12 18:11:37 +02:00
curl_ctype.c
curl_ctype.h
curl_des.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_des.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_endian.c lib: fix warnings found when porting to NuttX 2019-12-27 22:52:31 -05:00
curl_endian.h
curl_fnmatch.c
curl_fnmatch.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_get_line.c
curl_get_line.h
curl_gethostname.c
curl_gethostname.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_gssapi.c
curl_gssapi.h
curl_hmac.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
curl_ldap.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_md4.h md4: Use const for the length input parameter 2020-02-23 18:47:32 +00:00
curl_md5.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
curl_memory.h
curl_memrchr.c
curl_memrchr.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_multibyte.c multibyte: Fixed access-> waccess to file for Windows Plarform 2020-06-21 19:31:39 +02:00
curl_multibyte.h curl_multibyte: add to curlx 2020-05-14 18:13:27 +02:00
curl_ntlm_core.c ntlm: enable NTLM support with wolfSSL 2020-06-16 09:06:19 +02:00
curl_ntlm_core.h ntlm: enable NTLM support with wolfSSL 2020-06-16 09:06:19 +02:00
curl_ntlm_wb.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
curl_ntlm_wb.h
curl_path.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
curl_path.h
curl_printf.h
curl_range.c
curl_range.h
curl_rtmp.c urldata: avoid 'generic', use dedicated pointers 2019-09-03 23:00:51 +02:00
curl_rtmp.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_sasl.c build: disable more code/data when built without proxy support 2020-05-30 23:18:16 +02:00
curl_sasl.h
curl_sec.h
curl_setup_once.h tool: support UTF-16 command line on Windows 2020-05-14 18:13:36 +02:00
curl_setup.h multibyte: Fixed access-> waccess to file for Windows Plarform 2020-06-21 19:31:39 +02:00
curl_sha256.h md5/sha256: Updated the functions to allow non-string data to be hashed 2020-02-23 07:50:33 +00:00
curl_sspi.c curl_multibyte: add to curlx 2020-05-14 18:13:27 +02:00
curl_sspi.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curl_threads.c checksrc: enhance the ASTERISKSPACE and update code accordingly 2020-05-14 00:02:05 +02:00
curl_threads.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
curlx.h curl_multibyte: add to curlx 2020-05-14 18:13:27 +02:00
dict.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
dict.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
doh.c doh: remove redundant cast 2020-07-21 20:00:29 +02:00
doh.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
dotdot.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
dotdot.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
dynbuf.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
dynbuf.h terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
easy.c timeouts: move ms timeouts to timediff_t from int and long 2020-06-06 20:05:58 +02:00
easyif.h dynbuf: introduce internal generic dynamic buffer functions 2020-05-04 10:40:39 +02:00
escape.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
escape.h escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
file.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
file.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
fileinfo.c
fileinfo.h
firefox-db2pem.sh copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
formdata.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
formdata.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
ftp.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
ftp.h lib: clean up whitespace 2020-04-25 11:15:49 +02:00
ftplistparser.c copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
ftplistparser.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
getenv.c tool_home: Fix the copyright year being out of date 2020-02-13 00:40:08 +00:00
getinfo.c CURLINFO_EFFECTIVE_METHOD: added 2020-07-14 17:53:45 +02:00
getinfo.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
gopher.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
gopher.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
hash.c
hash.h
hmac.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
hostasyn.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
hostcheck.c copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
hostcheck.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
hostip4.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
hostip6.c hostip: make Curl_printable_address not return anything 2020-05-19 08:11:46 +02:00
hostip.c hostip: fix the memory-leak introduced in 67d2802 2020-06-02 12:43:50 +02:00
hostip.h hostip: make Curl_printable_address not return anything 2020-05-19 08:11:46 +02:00
hostsyn.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
http2.c CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream 2020-07-16 00:24:29 +02:00
http2.h dynbuf: introduce internal generic dynamic buffer functions 2020-05-04 10:40:39 +02:00
http_chunks.c trailers: switch h1-trailer logic to use dynbuf 2020-06-05 17:57:24 +02:00
http_chunks.h chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error 2019-10-02 07:46:05 +02:00
http_digest.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
http_digest.h http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
http_negotiate.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
http_negotiate.h conncache: various concept cleanups 2020-04-30 14:27:54 +02:00
http_ntlm.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
http_ntlm.h conncache: various concept cleanups 2020-04-30 14:27:54 +02:00
http_proxy.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
http_proxy.h http_proxy: ported to use dynbuf instead of a static size buffer 2020-05-04 10:41:06 +02:00
http.c CURLINFO_EFFECTIVE_METHOD: added 2020-07-14 17:53:45 +02:00
http.h http2: simplify and clean up trailer handling 2020-05-07 09:49:51 +02:00
idn_win32.c curl_multibyte: add to curlx 2020-05-14 18:13:27 +02:00
if2ip.c Curl_inet_ntop: always check the return code 2020-06-24 16:04:54 +02:00
if2ip.h
imap.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
imap.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
inet_ntop.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
inet_ntop.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
inet_pton.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
inet_pton.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
krb5.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
ldap.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
libcurl.plist
libcurl.rc
libcurl.vers.in
llist.c llist: removed unused Curl_llist_move() 2020-01-24 10:29:18 +01:00
llist.h llist: removed unused Curl_llist_move() 2020-01-24 10:29:18 +01:00
Makefile.am cleanup: correct copyright year range on a few files 2020-04-06 23:21:52 +02:00
makefile.amiga copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
makefile.dj copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
Makefile.inc vtls: Extract and simplify key log file handling from OpenSSL 2020-05-27 21:19:51 +02:00
Makefile.m32 content_encoding: add zstd decoding support 2020-07-12 18:11:37 +02:00
Makefile.netware lib: never define CURL_CA_BUNDLE with a getenv 2020-04-05 23:59:20 +02:00
Makefile.vxworks copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
Makefile.Watcom copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
md4.c md(4|5): don't use deprecated macOS functions 2020-07-19 10:34:52 +02:00
md5.c md(4|5): don't use deprecated macOS functions 2020-07-19 10:34:52 +02:00
memdebug.c memdebug: don't log free(NULL) 2020-03-31 09:44:23 +02:00
memdebug.h build: Disable Visual Studio warning "conditional expression is constant" 2019-12-01 19:01:02 -05:00
mime.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
mime.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
mk-ca-bundle.pl lib/mk-ca-bundle: skip empty certs 2020-04-22 22:55:08 +02:00
mk-ca-bundle.vbs copyright: fix out-of-date copyright ranges and missing headers 2020-03-24 15:05:59 +01:00
mprintf.c mprintf: Fix stack overflows 2020-07-27 03:43:00 -04:00
mqtt.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
mqtt.h mqtt: make NOSTATE get within the debug name array 2020-04-20 23:27:04 +02:00
multi.c multi: remove two checks always true 2020-07-14 00:12:08 +02:00
multihandle.h Revert "multi: implement wait using winsock events" 2020-06-30 12:27:23 +02:00
multiif.h url: make sure pushed streams get an allocated download buffer 2020-06-23 15:13:27 +02:00
netrc.c netrc: part of conditional expression is always true: !done 2019-09-20 08:07:18 +02:00
netrc.h
non-ascii.c copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
non-ascii.h
nonblock.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
nonblock.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
nwlib.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
nwos.c
openldap.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
parsedate.c parsedate: offer a getdate_capped() alternative 2019-11-29 11:01:24 +01:00
parsedate.h parsedate: offer a getdate_capped() alternative 2019-11-29 11:01:24 +01:00
pingpong.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
pingpong.h timeouts: change millisecond timeouts to timediff_t from time_t 2020-05-30 23:10:57 +02:00
pop3.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
pop3.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
progress.c timeouts: change millisecond timeouts to timediff_t from time_t 2020-05-30 23:10:57 +02:00
progress.h
psl.c
psl.h
quic.h connect: improve happy eyeballs handling 2020-06-18 00:20:42 +02:00
rand.c
rand.h
rename.c rename: a new file for Curl_rename() 2020-02-18 07:49:15 +01:00
rename.h rename: a new file for Curl_rename() 2020-02-18 07:49:15 +01:00
rtsp.c http: move header storage to Curl_easy from connectdata 2020-06-15 22:56:25 +02:00
rtsp.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
security.c security: silence conversion warning 2019-10-13 22:10:12 +02:00
select.c select: remove the unused ELAPSED_MS() macro 2020-06-18 00:11:25 +02:00
select.h select: use timediff_t instead of time_t and int for timeout_ms 2020-05-30 10:20:40 +02:00
sendf.c sendf: improve the message on client write errors 2020-06-24 16:03:40 +02:00
sendf.h
setopt.c urldata: let the HTTP method be in the set.* struct 2020-06-02 16:30:36 +02:00
setopt.h setopt: support certificate options in memory with struct curl_blob 2020-05-15 13:03:59 +02:00
setup-os400.h checksrc: enhance the ASTERISKSPACE and update code accordingly 2020-05-14 00:02:05 +02:00
setup-vms.h copyright: updated year ranges out of sync 2020-05-24 00:02:33 +02:00
setup-win32.h curl_setup: define _WIN32_WINNT_[OS] symbols 2020-03-21 17:42:44 -04:00
sha256.c sha256: move assign to the declaration line 2020-05-19 08:52:38 +02:00
share.c share: don't set the share flag it something fails 2020-06-12 09:42:52 +02:00
share.h
sigpipe.h
slist.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
slist.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
smb.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
smb.h copyright updates: adjust year ranges 2020-04-26 23:59:22 +02:00
smtp.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
smtp.h smtp: Detect server support for the UTF-8 extension as defined in RFC-6531 2020-02-26 14:04:37 +00:00
sockaddr.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
socketpair.c lib: fix warnings found when porting to NuttX 2019-12-27 22:52:31 -05:00
socketpair.h socketpair: an implemention for Windows and more 2019-10-10 11:04:38 +02:00
socks_gssapi.c all: fix codespell errors 2020-05-25 19:44:04 +00:00
socks_sspi.c all: fix codespell errors 2020-05-25 19:44:04 +00:00
socks.c socks: use size_t for size variable 2020-07-12 22:52:19 +02:00
socks.h socks: make the connect phase non-blocking 2020-02-17 00:08:48 +01:00
speedcheck.c
speedcheck.h
splay.c
splay.h
strcase.c strcase: turn Curl_raw_tolower into static 2020-01-24 10:29:06 +01:00
strcase.h strcase: turn Curl_raw_tolower into static 2020-01-24 10:29:06 +01:00
strdup.c strdup: remove the odd strlen check 2020-07-18 12:37:25 +02:00
strdup.h
strerror.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
strerror.h strerror.h: Copyright year out of date 2020-02-12 23:07:21 +01:00
strtok.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
strtok.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
strtoofft.c copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
strtoofft.h
system_win32.c nit: Copyright year out of date 2020-02-19 08:04:35 +01:00
system_win32.h
telnet.c copyright: update mismatched copyright years 2020-06-22 11:55:34 +02:00
telnet.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
tftp.c escape: make the URL decode able to reject only %00 bytes 2020-06-25 09:57:18 +02:00
tftp.h copyrights: fix copyright year range 2019-11-08 14:51:42 +01:00
timeval.c nit: Copyright year out of date 2020-02-19 08:04:35 +01:00
timeval.h
transfer.c transfer: fix memory-leak with CURLOPT_CURLU in a duped handle 2020-07-12 16:36:02 +02:00
transfer.h
url.c url: silence MSVC warning 2020-07-02 13:31:22 +02:00
url.h build: disable more code/data when built without proxy support 2020-05-30 23:18:16 +02:00
urlapi-int.h
urlapi.c terminology: call them null-terminated strings 2020-06-28 00:31:24 +02:00
urldata.h CURLINFO_EFFECTIVE_METHOD: added 2020-07-14 17:53:45 +02:00
version.c windows: add unicode to feature list 2020-07-14 08:30:17 +00:00
warnless.c
warnless.h cleanup: correct copyright year range on a few files 2020-04-06 23:21:52 +02:00
wildcard.c
wildcard.h
x509asn1.c source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00
x509asn1.h source cleanup: remove all custom typedef structs 2020-05-15 08:54:42 +02:00