From ee4f76606cfa4ee068bf28edd37c8dae7e8db317 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2016 17:25:09 +0200 Subject: range: reject char globs with missing end like '[L-]' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn --- src/tool_urlglob.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) (limited to 'src/tool_urlglob.c') diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index c45a78b21..09d21b61e 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp, /* character range detected */ char min_c; char max_c; + char end_c; int step=1; pat->type = UPTCharRange; - rc = sscanf(pattern, "%c-%c", &min_c, &max_c); + rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); - if((rc == 2) && (pattern[3] == ':')) { - char *endp; - unsigned long lstep; - errno = 0; - lstep = strtoul(&pattern[4], &endp, 10); - if(errno || (*endp != ']')) - step = -1; - else { - pattern = endp+1; - step = (int)lstep; - if(step > (max_c - min_c)) + if(rc == 3) { + if(end_c == ':') { + char *endp; + unsigned long lstep; + errno = 0; + lstep = strtoul(&pattern[4], &endp, 10); + if(errno || (*endp != ']')) step = -1; + else { + pattern = endp+1; + step = (int)lstep; + if(step > (max_c - min_c)) + step = -1; + } } + else if(end_c != ']') + /* then this is wrong */ + rc = 0; } - else - pattern += 4; *posp += (pattern - *patternp); - if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || + if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || (step <= 0) ) /* the pattern is not well-formed */ return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT); -- cgit v1.2.3