aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-10-03 17:27:16 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-31 08:46:35 +0100
commitfbb5f1aa0326d485d5a7ac643b48481897ca667f (patch)
tree08ffbd8e2c32dc3428ebeb3807f4853da150133c
parent96a80b5a262fb6dd2ddcea7987296f3b9a405618 (diff)
range: prevent negative end number in a glob range
CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
Diffstat
-rw-r--r--src/tool_urlglob.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index a357b8b56..64c75ba4f 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
endp = NULL;
else {
pattern = endp+1;
+ while(*pattern && ISBLANK(*pattern))
+ pattern++;
+ if(!ISDIGIT(*pattern)) {
+ endp = NULL;
+ goto fail;
+ }
errno = 0;
max_n = strtoul(pattern, &endp, 10);
if(errno || (*endp == ':')) {
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
}
}
+ fail:
*posp += (pattern - *patternp);
if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-17 06:40:25 +0000