diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2016-10-04 17:25:09 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-31 08:46:35 +0100 |
| commit | ee4f76606cfa4ee068bf28edd37c8dae7e8db317 (patch) | |
| tree | 59ebe6924c27dc9909f1c769781e1738c0f12f72 | |
| parent | 269a88910436d730ac212f4dc01cbe6961338061 (diff) | |
| download | gnurl-ee4f76606cfa4ee068bf28edd37c8dae7e8db317.tar.gz gnurl-ee4f76606cfa4ee068bf28edd37c8dae7e8db317.tar.bz2 gnurl-ee4f76606cfa4ee068bf28edd37c8dae7e8db317.zip | |
range: reject char globs with missing end like '[L-]'
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
| -rw-r--r-- | src/tool_urlglob.c | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index c45a78b21..09d21b61e 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, /* character range detected */ char min_c; char max_c; + char end_c; int step=1; pat->type = UPTCharRange; - rc = sscanf(pattern, "%c-%c", &min_c, &max_c); + rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); - if((rc == 2) && (pattern[3] == ':')) { - char *endp; - unsigned long lstep; - errno = 0; - lstep = strtoul(&pattern[4], &endp, 10); - if(errno || (*endp != ']')) - step = -1; - else { - pattern = endp+1; - step = (int)lstep; - if(step > (max_c - min_c)) + if(rc == 3) { + if(end_c == ':') { + char *endp; + unsigned long lstep; + errno = 0; + lstep = strtoul(&pattern[4], &endp, 10); + if(errno || (*endp != ']')) step = -1; + else { + pattern = endp+1; + step = (int)lstep; + if(step > (max_c - min_c)) + step = -1; + } } + else if(end_c != ']') + /* then this is wrong */ + rc = 0; } - else - pattern += 4; *posp += (pattern - *patternp); - if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || + if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || (step <= 0) ) /* the pattern is not well-formed */ return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); |