Blame SOURCES/0008-curl-7.29.0-192c4f78.patch

3a27f0
From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001
3a27f0
From: Daniel Stenberg <daniel@haxx.se>
3a27f0
Date: Sun, 19 May 2013 23:24:29 +0200
3a27f0
Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
3a27f0
3a27f0
Security problem: CVE-2013-2174
3a27f0
3a27f0
If a program would give a string like "%FF" to curl_easy_unescape() but
3a27f0
ask for it to decode only the first byte, it would still parse and
3a27f0
decode the full hex sequence. The function then not only read beyond the
3a27f0
allowed buffer but it would also deduct the *unsigned* counter variable
3a27f0
for how many more bytes there's left to read in the buffer by two,
3a27f0
making the counter wrap. Continuing this, the function would go on
3a27f0
reading beyond the buffer and soon writing beyond the allocated target
3a27f0
buffer...
3a27f0
3a27f0
Bug: http://curl.haxx.se/docs/adv_20130622.html
3a27f0
Reported-by: Timo Sirainen
3a27f0
3a27f0
[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737]
3a27f0
3a27f0
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
3a27f0
---
3a27f0
 lib/escape.c |    3 ++-
3a27f0
 1 files changed, 2 insertions(+), 1 deletions(-)
3a27f0
3a27f0
diff --git a/lib/escape.c b/lib/escape.c
3a27f0
index 6a26cf8..a567edb 100644
3a27f0
--- a/lib/escape.c
3a27f0
+++ b/lib/escape.c
3a27f0
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
3a27f0
 
3a27f0
   while(--alloc > 0) {
3a27f0
     in = *string;
3a27f0
-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
3a27f0
+    if(('%' == in) && (alloc > 2) &&
3a27f0
+       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
3a27f0
       /* this is two hexadecimal digits following a '%' */
3a27f0
       char hexstr[3];
3a27f0
       char *ptr;
3a27f0
-- 
3a27f0
1.7.1
3a27f0