diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-08-14 23:33:23 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-08-14 23:33:41 +0200 |
commit | ff50fe0348466cae1a9f9f759b362c03f7060c34 (patch) | |
tree | 6a5a6efbe7bd7b00e49982e09a5da8f8341de28c /src | |
parent | b53b4e44241415c0a7ad857c72ec323109d2a7c0 (diff) |
strtoofft: reduce integer overflow risks globally
... make sure we bail out on overflows.
Reported-by: Brian Carpenter
Closes #1758
Diffstat (limited to 'src')
-rw-r--r-- | src/tool_getparam.c | 11 | ||||
-rw-r--r-- | src/tool_paramhlp.c | 10 |
2 files changed, 16 insertions, 5 deletions
diff --git a/src/tool_getparam.c b/src/tool_getparam.c index b7ee519b3..40b39a8aa 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -590,7 +590,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ { /* We support G, M, K too */ char *unit; - curl_off_t value = curlx_strtoofft(nextarg, &unit, 0); + curl_off_t value; + if(curlx_strtoofft(nextarg, &unit, 0, &value)) { + warnf(global, "unsupported rate\n"); + return PARAM_BAD_USE; + } if(!*unit) unit = (char *)"b"; @@ -1843,10 +1847,13 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ if(ISDIGIT(*nextarg) && !strchr(nextarg, '-')) { char buffer[32]; curl_off_t off; + if(curlx_strtoofft(nextarg, NULL, 10, &off)) { + warnf(global, "unsupported range point\n"); + return PARAM_BAD_USE; + } warnf(global, "A specified range MUST include at least one dash (-). " "Appending one for you!\n"); - off = curlx_strtoofft(nextarg, NULL, 10); snprintf(buffer, sizeof(buffer), "%" CURL_FORMAT_CURL_OFF_T "-", off); Curl_safefree(config->range); config->range = strdup(buffer); diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c index 85c5e79a7..86a3fe6b0 100644 --- a/src/tool_paramhlp.c +++ b/src/tool_paramhlp.c @@ -400,9 +400,13 @@ ParameterError str2offset(curl_off_t *val, const char *str) return PARAM_NEGATIVE_NUMERIC; #if(CURL_SIZEOF_CURL_OFF_T > CURL_SIZEOF_LONG) - *val = curlx_strtoofft(str, &endptr, 0); - if((*val == CURL_OFF_T_MAX || *val == CURL_OFF_T_MIN) && (errno == ERANGE)) - return PARAM_NUMBER_TOO_LARGE; + { + CURLofft offt = curlx_strtoofft(str, &endptr, 0, val); + if(CURL_OFFT_FLOW == offt) + return PARAM_NUMBER_TOO_LARGE; + else if(CURL_OFFT_INVAL == offt) + return PARAM_BAD_NUMERIC; + } #else errno = 0; *val = strtol(str, &endptr, 0); |