curl_easy_unescape: deny negative string lengths as input

CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
author: Daniel Stenberg <daniel@haxx.se> 2016-09-13 23:00:50 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2016-09-14 07:49:43 +0200
commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae (patch)
tree: e9a734faa378ec8a392c08f68e6e2ff503f91dc5 /lib/escape.c
parent: 826a9ced2bed217155e34065ef4048931f327b1e (diff)
download: gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.tar.gz
gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.tar.bz2
gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.zip
1 files changed, 10 insertions, 8 deletions
diff --git a/lib/escape.c b/lib/escape.c
index 63edd84fa..e61260d7c 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
                          int length, int *olen)
 {
   char *str = NULL;
-  size_t inputlen = length;
-  size_t outputlen;
-  CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
-                                FALSE);
-  if(res)
-    return NULL;
-  if(olen)
-    *olen = curlx_uztosi(outputlen);
+  if(length >= 0) {
+    size_t inputlen = length;
+    size_t outputlen;
+    CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
+                                  FALSE);
+    if(res)
+      return NULL;
+    if(olen)
+      *olen = curlx_uztosi(outputlen);
+  }
   return str;
 }
author	Daniel Stenberg <daniel@haxx.se>	2016-09-13 23:00:50 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2016-09-14 07:49:43 +0200
commit	01cf1308ee2e792c77bb1d2c9218c56a30fd40ae (patch)
tree	e9a734faa378ec8a392c08f68e6e2ff503f91dc5 /lib/escape.c
parent	826a9ced2bed217155e34065ef4048931f327b1e (diff)
download	gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.tar.gz gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.tar.bz2 gnurl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.zip