From 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 13 Sep 2016 23:00:50 +0200 Subject: curl_easy_unescape: deny negative string lengths as input CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html --- lib/escape.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/escape.c b/lib/escape.c index 63edd84fa..e61260d7c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, int length, int *olen) { char *str = NULL; - size_t inputlen = length; - size_t outputlen; - CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, - FALSE); - if(res) - return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + if(length >= 0) { + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + } return str; } -- cgit v1.2.3