aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-09-08 22:59:54 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-09-14 07:49:43 +0200
commit826a9ced2bed217155e34065ef4048931f327b1e (patch)
tree566fe2c2c2cdf4536ff160898b4b6f29c0dce8fd
parentffa0709a889a3d59553538ee00ce81a0e524a96e (diff)
curl_easy_escape: deny negative string lengths as input
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
-rw-r--r--lib/escape.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/escape.c b/lib/escape.c
index 04230b4ca..63edd84fa 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length)
char *curl_easy_escape(struct Curl_easy *data, const char *string,
int inlength)
{
- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
+ size_t alloc;
char *ns;
char *testing_ptr = NULL;
unsigned char in; /* we need to treat the characters unsigned */
- size_t newlen = alloc;
+ size_t newlen;
size_t strindex=0;
size_t length;
CURLcode result;
+ if(inlength < 0)
+ return NULL;
+
+ alloc = (inlength?(size_t)inlength:strlen(string))+1;
+ newlen = alloc;
+
ns = malloc(alloc);
if(!ns)
return NULL;