diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2018-09-23 14:17:30 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-09-24 07:48:41 +0200 |
| commit | 55b51b8c493ee37e1cb4a57255ef38ce595a4186 (patch) | |
| tree | 36ff3d06b9c5f5d3eab47369e50a129203c029ec | |
| parent | 6ae6b2a533e8630afbb21f570305bd4ceece6348 (diff) | |
Curl_dedotdotify(): always nul terminate returned string.
This fixes potential out-of-buffer access on "file:./" URL
$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516== by 0x4EBB315: seturl (urlapi.c:801)
==24516== by 0x4EBB568: parseurl (urlapi.c:861)
==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516== by 0x4E67AEF: create_conn (url.c:3613)
==24516== by 0x4E68A4F: Curl_connect (url.c:4119)
==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516== by 0x4E7558C: easy_transfer (easy.c:686)
==24516== by 0x4E75801: easy_perform (easy.c:779)
==24516== by 0x4E75868: curl_easy_perform (easy.c:798)
Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz
Closes #3039
| -rw-r--r-- | lib/dotdot.c | 2 | ||||
| -rw-r--r-- | tests/libtest/lib1560.c | 3 |
2 files changed, 5 insertions, 0 deletions
diff --git a/lib/dotdot.c b/lib/dotdot.c index cbb308d78..2c6177aea 100644 --- a/lib/dotdot.c +++ b/lib/dotdot.c @@ -62,6 +62,8 @@ char *Curl_dedotdotify(const char *input) if(!out) return NULL; /* out of memory */ + *out = 0; /* zero terminates, for inputs like "./" */ + /* get a cloned copy of the input */ clone = strdup(input); if(!clone) { diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c index 7a5be812a..e0faa12b2 100644 --- a/tests/libtest/lib1560.c +++ b/tests/libtest/lib1560.c @@ -300,6 +300,9 @@ static struct urltestcase get_url_list[] = { {"file:///file.txt", "file:///file.txt", 0, 0, CURLUE_OK}, + {"file:./", + "file://", + 0, 0, CURLUE_MALFORMED_INPUT}, {"http://example.com/hello/../here", "http://example.com/hello/../here", CURLU_PATH_AS_IS, 0, CURLUE_OK}, |