diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2016-10-04 18:56:45 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-31 08:46:35 +0100 |
| commit | 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c (patch) | |
| tree | a5f0a1087187b889163113e83f081f8fec9d16d8 | |
| parent | c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5 (diff) | |
| download | gnurl-53e71e47d6b81650d26ec33a58d0dca24c7ffb2c.tar.gz gnurl-53e71e47d6b81650d26ec33a58d0dca24c7ffb2c.tar.bz2 gnurl-53e71e47d6b81650d26ec33a58d0dca24c7ffb2c.zip | |
unescape: avoid integer overflow
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
| -rw-r--r-- | docs/libcurl/curl_easy_unescape.3 | 7 | ||||
| -rw-r--r-- | lib/dict.c | 10 | ||||
| -rw-r--r-- | lib/escape.c | 10 |
3 files changed, 18 insertions, 9 deletions
diff --git a/docs/libcurl/curl_easy_unescape.3 b/docs/libcurl/curl_easy_unescape.3 index 06fd6fcb5..50ce97db7 100644 --- a/docs/libcurl/curl_easy_unescape.3 +++ b/docs/libcurl/curl_easy_unescape.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -40,7 +40,10 @@ will use strlen() on the input \fIurl\fP string to find out the size. If \fBoutlength\fP is non-NULL, the function will write the length of the returned string in the integer it points to. This allows an escaped string -containing %00 to still get used properly after unescaping. +containing %00 to still get used properly after unescaping. Since this is a +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no +longer string can be unescaped if the string length is returned in this +parameter. You must \fIcurl_free(3)\fP the returned string when you're done with it. .SH AVAILABILITY diff --git a/lib/dict.c b/lib/dict.c index a7b5965bd..48a4e0a81 100644 --- a/lib/dict.c +++ b/lib/dict.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -52,7 +52,7 @@ #include <curl/curl.h> #include "transfer.h" #include "sendf.h" - +#include "escape.h" #include "progress.h" #include "strequal.h" #include "dict.h" @@ -96,12 +96,12 @@ static char *unescape_word(struct Curl_easy *data, const char *inputbuff) char *newp; char *dictp; char *ptr; - int len; + size_t len; char ch; int olen=0; - newp = curl_easy_unescape(data, inputbuff, 0, &len); - if(!newp) + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); + if(!newp || result) return NULL; dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ diff --git a/lib/escape.c b/lib/escape.c index e61260d7c..66570076e 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -224,8 +224,14 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, FALSE); if(res) return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + + if(olen) { + if(outputlen <= (size_t) INT_MAX) + *olen = curlx_uztosi(outputlen); + else + /* too large to return in an int, fail! */ + Curl_safefree(str); + } } return str; } |