range: prevent negative end number in a glob range

CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
author: Daniel Stenberg <daniel@haxx.se> 2016-10-03 17:27:16 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2016-10-31 08:46:35 +0100
commit: fbb5f1aa0326d485d5a7ac643b48481897ca667f (patch)
tree: 08ffbd8e2c32dc3428ebeb3807f4853da150133c
parent: 96a80b5a262fb6dd2ddcea7987296f3b9a405618 (diff)
download: gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.tar.gz
gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.tar.bz2
gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index a357b8b56..64c75ba4f 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
         endp = NULL;
       else {
         pattern = endp+1;
+        while(*pattern && ISBLANK(*pattern))
+          pattern++;
+        if(!ISDIGIT(*pattern)) {
+          endp = NULL;
+          goto fail;
+        }
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
         if(errno || (*endp == ':')) {
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
       }
     }
 
+    fail:
     *posp += (pattern - *patternp);
 
     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)
author	Daniel Stenberg <daniel@haxx.se>	2016-10-03 17:27:16 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2016-10-31 08:46:35 +0100
commit	fbb5f1aa0326d485d5a7ac643b48481897ca667f (patch)
tree	08ffbd8e2c32dc3428ebeb3807f4853da150133c
parent	96a80b5a262fb6dd2ddcea7987296f3b9a405618 (diff)
download	gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.tar.gz gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.tar.bz2 gnurl-fbb5f1aa0326d485d5a7ac643b48481897ca667f.zip