diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-09-08 22:59:54 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-09-14 07:49:43 +0200 |
commit | 826a9ced2bed217155e34065ef4048931f327b1e (patch) | |
tree | 566fe2c2c2cdf4536ff160898b4b6f29c0dce8fd | |
parent | ffa0709a889a3d59553538ee00ce81a0e524a96e (diff) |
curl_easy_escape: deny negative string lengths as input
CVE-2016-7167
Bug: https://curl.haxx.se/docs/adv_20160914.html
-rw-r--r-- | lib/escape.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/escape.c b/lib/escape.c index 04230b4ca..63edd84fa 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -78,15 +78,21 @@ char *curl_unescape(const char *string, int length) char *curl_easy_escape(struct Curl_easy *data, const char *string, int inlength) { - size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; + size_t alloc; char *ns; char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ - size_t newlen = alloc; + size_t newlen; size_t strindex=0; size_t length; CURLcode result; + if(inlength < 0) + return NULL; + + alloc = (inlength?(size_t)inlength:strlen(string))+1; + newlen = alloc; + ns = malloc(alloc); if(!ns) return NULL; |