aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-10-04 17:25:09 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-31 08:46:35 +0100
commitee4f76606cfa4ee068bf28edd37c8dae7e8db317 (patch)
tree59ebe6924c27dc9909f1c769781e1738c0f12f72 /src
parent269a88910436d730ac212f4dc01cbe6961338061 (diff)
range: reject char globs with missing end like '[L-]'
... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn
Diffstat (limited to 'src')
-rw-r--r--src/tool_urlglob.c34
1 files changed, 19 insertions, 15 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index c45a78b21..09d21b61e 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
/* character range detected */
char min_c;
char max_c;
+ char end_c;
int step=1;
pat->type = UPTCharRange;
- rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
+ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
- if((rc == 2) && (pattern[3] == ':')) {
- char *endp;
- unsigned long lstep;
- errno = 0;
- lstep = strtoul(&pattern[4], &endp, 10);
- if(errno || (*endp != ']'))
- step = -1;
- else {
- pattern = endp+1;
- step = (int)lstep;
- if(step > (max_c - min_c))
+ if(rc == 3) {
+ if(end_c == ':') {
+ char *endp;
+ unsigned long lstep;
+ errno = 0;
+ lstep = strtoul(&pattern[4], &endp, 10);
+ if(errno || (*endp != ']'))
step = -1;
+ else {
+ pattern = endp+1;
+ step = (int)lstep;
+ if(step > (max_c - min_c))
+ step = -1;
+ }
}
+ else if(end_c != ']')
+ /* then this is wrong */
+ rc = 0;
}
- else
- pattern += 4;
*posp += (pattern - *patternp);
- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
(step <= 0) )
/* the pattern is not well-formed */
return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);