diff options
author | Daniel Stenberg <daniel@haxx.se> | 2013-05-19 23:24:29 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2013-06-22 11:21:35 +0200 |
commit | 192c4f788d48f82c03e9cef40013f34370e90737 (patch) | |
tree | 3065f5fa6d538ed1aa21c2a7cc020c63ebd75086 /src/tool_mfiles.c | |
parent | da0db499fd1fed3ab061d8c03d25c06164c9f429 (diff) |
Curl_urldecode: no peeking beyond end of input buffer
Security problem: CVE-2013-2174
If a program would give a string like "%FF" to curl_easy_unescape() but
ask for it to decode only the first byte, it would still parse and
decode the full hex sequence. The function then not only read beyond the
allowed buffer but it would also deduct the *unsigned* counter variable
for how many more bytes there's left to read in the buffer by two,
making the counter wrap. Continuing this, the function would go on
reading beyond the buffer and soon writing beyond the allocated target
buffer...
Bug: http://curl.haxx.se/docs/adv_20130622.html
Reported-by: Timo Sirainen
Diffstat (limited to 'src/tool_mfiles.c')
0 files changed, 0 insertions, 0 deletions