aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-09-13 23:00:50 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-09-14 07:49:43 +0200
commit01cf1308ee2e792c77bb1d2c9218c56a30fd40ae (patch)
treee9a734faa378ec8a392c08f68e6e2ff503f91dc5
parent826a9ced2bed217155e34065ef4048931f327b1e (diff)
curl_easy_unescape: deny negative string lengths as input
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
-rw-r--r--lib/escape.c18
1 files changed, 10 insertions, 8 deletions
diff --git a/lib/escape.c b/lib/escape.c
index 63edd84fa..e61260d7c 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
int length, int *olen)
{
char *str = NULL;
- size_t inputlen = length;
- size_t outputlen;
- CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
- FALSE);
- if(res)
- return NULL;
- if(olen)
- *olen = curlx_uztosi(outputlen);
+ if(length >= 0) {
+ size_t inputlen = length;
+ size_t outputlen;
+ CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
+ FALSE);
+ if(res)
+ return NULL;
+ if(olen)
+ *olen = curlx_uztosi(outputlen);
+ }
return str;
}