diff options
author | Daniel Stenberg <daniel@haxx.se> | 2012-08-07 13:45:59 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2012-08-07 13:45:59 +0200 |
commit | 73b1a965f76d0b3e03e078604fe1824875ce15c0 (patch) | |
tree | 27760175b6738fffb9cd7529ec665256b41060a7 | |
parent | 42e4c34ff37c259ff26e78aab22c0bccf06d1bcb (diff) |
globbing: fix segfault when >9 globs were used
Stupid lack of range checks caused the code to overwrite local variables
after glob number nine. Added checks now.
Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
-rw-r--r-- | src/tool_urlglob.c | 10 | ||||
-rw-r--r-- | src/tool_urlglob.h | 5 |
2 files changed, 12 insertions, 3 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index 5e73f1476..2821d008d 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern, pat->content.Set.ptr_s = 0; pat->content.Set.elements = NULL; - ++glob->size; + if(++glob->size > (GLOB_PATTERN_NUM*2)) { + snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n"); + return GLOB_ERROR; + } while(!done) { switch (*pattern) { @@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern, pat = &glob->pattern[glob->size / 2]; /* patterns 0,1,2,... correspond to size=1,3,5,... */ - ++glob->size; + if(++glob->size > (GLOB_PATTERN_NUM*2)) { + snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n"); + return GLOB_ERROR; + } if(ISALPHA(*pattern)) { /* character range detected */ diff --git a/src/tool_urlglob.h b/src/tool_urlglob.h index 9c37f1560..9c0813750 100644 --- a/src/tool_urlglob.h +++ b/src/tool_urlglob.h @@ -53,9 +53,12 @@ typedef struct { } content; } URLPattern; +/* the total number of globs supported */ +#define GLOB_PATTERN_NUM 9 + typedef struct { char *literal[10]; - URLPattern pattern[9]; + URLPattern pattern[GLOB_PATTERN_NUM+1]; size_t size; size_t urllen; char *glob_buffer; |