aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2012-08-07 13:45:59 +0200
committerDaniel Stenberg <daniel@haxx.se>2012-08-07 13:45:59 +0200
commit73b1a965f76d0b3e03e078604fe1824875ce15c0 (patch)
tree27760175b6738fffb9cd7529ec665256b41060a7
parent42e4c34ff37c259ff26e78aab22c0bccf06d1bcb (diff)
globbing: fix segfault when >9 globs were used
Stupid lack of range checks caused the code to overwrite local variables after glob number nine. Added checks now. Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
-rw-r--r--src/tool_urlglob.c10
-rw-r--r--src/tool_urlglob.h5
2 files changed, 12 insertions, 3 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 5e73f1476..2821d008d 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern,
pat->content.Set.ptr_s = 0;
pat->content.Set.elements = NULL;
- ++glob->size;
+ if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+ snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+ return GLOB_ERROR;
+ }
while(!done) {
switch (*pattern) {
@@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern,
pat = &glob->pattern[glob->size / 2];
/* patterns 0,1,2,... correspond to size=1,3,5,... */
- ++glob->size;
+ if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+ snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+ return GLOB_ERROR;
+ }
if(ISALPHA(*pattern)) {
/* character range detected */
diff --git a/src/tool_urlglob.h b/src/tool_urlglob.h
index 9c37f1560..9c0813750 100644
--- a/src/tool_urlglob.h
+++ b/src/tool_urlglob.h
@@ -53,9 +53,12 @@ typedef struct {
} content;
} URLPattern;
+/* the total number of globs supported */
+#define GLOB_PATTERN_NUM 9
+
typedef struct {
char *literal[10];
- URLPattern pattern[9];
+ URLPattern pattern[GLOB_PATTERN_NUM+1];
size_t size;
size_t urllen;
char *glob_buffer;