From 49184c37233c2cf27b79ebcd29fb8a4f5fb2e1ed Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Fri, 19 Apr 2013 19:37:55 +0100
Subject: url: Added bounds checking to parse_login_details()

Added bounds checking when searching for the separator characters within
the login string as this string may not be NULL terminated (For example
it is the login part of a URL). We do this in preference to allocating a
new string to copy the login details into which could then be passed to
parse_login_details() for performance reasons.
---
 lib/url.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/url.c b/lib/url.c
index bd07059bc..3563f0853 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4482,13 +4482,23 @@ static CURLcode parse_login_details(const char *login, const size_t len,
   size_t olen;
 
   /* Attempt to find the password separator */
-  if(passwdp)
+  if(passwdp) {
     psep = strchr(login, ':');
 
+    /* Within the constraint of the login string */
+    if(psep >= login + len)
+      psep = NULL;
+  }
+
   /* Attempt to find the options separator */
-  if(optionsp)
+  if(optionsp) {
     osep = strchr(login, ';');
 
+    /* Within the constraint of the login string */
+    if(osep >= login + len)
+      osep = NULL;
+  }
+
   /* Calculate the portion lengths */
   ulen = (psep ?
           (size_t)(osep && psep > osep ? osep - login : psep - login) :
-- 
cgit v1.2.3