aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2018-09-23 14:17:30 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-09-24 07:48:41 +0200
commit55b51b8c493ee37e1cb4a57255ef38ce595a4186 (patch)
tree36ff3d06b9c5f5d3eab47369e50a129203c029ec
parent6ae6b2a533e8630afbb21f570305bd4ceece6348 (diff)
Curl_dedotdotify(): always nul terminate returned string.
This fixes potential out-of-buffer access on "file:./" URL $ valgrind curl "file:./" ==24516== Memcheck, a memory error detector ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==24516== Command: /home/even/install-curl-git/bin/curl file:./ ==24516== ==24516== Conditional jump or move depends on uninitialised value(s) ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24516== by 0x4EBB315: seturl (urlapi.c:801) ==24516== by 0x4EBB568: parseurl (urlapi.c:861) ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) ==24516== by 0x4E67AEF: create_conn (url.c:3613) ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) ==24516== by 0x4E7558C: easy_transfer (easy.c:686) ==24516== by 0x4E75801: easy_perform (easy.c:779) ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) Was originally spotted by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 Credit to OSS-Fuzz Closes #3039
-rw-r--r--lib/dotdot.c2
-rw-r--r--tests/libtest/lib1560.c3
2 files changed, 5 insertions, 0 deletions
diff --git a/lib/dotdot.c b/lib/dotdot.c
index cbb308d78..2c6177aea 100644
--- a/lib/dotdot.c
+++ b/lib/dotdot.c
@@ -62,6 +62,8 @@ char *Curl_dedotdotify(const char *input)
if(!out)
return NULL; /* out of memory */
+ *out = 0; /* zero terminates, for inputs like "./" */
+
/* get a cloned copy of the input */
clone = strdup(input);
if(!clone) {
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index 7a5be812a..e0faa12b2 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -300,6 +300,9 @@ static struct urltestcase get_url_list[] = {
{"file:///file.txt",
"file:///file.txt",
0, 0, CURLUE_OK},
+ {"file:./",
+ "file://",
+ 0, 0, CURLUE_MALFORMED_INPUT},
{"http://example.com/hello/../here",
"http://example.com/hello/../here",
CURLU_PATH_AS_IS, 0, CURLUE_OK},