|
|
3a27f0 |
From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001
|
|
|
3a27f0 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
3a27f0 |
Date: Sun, 19 May 2013 23:24:29 +0200
|
|
|
3a27f0 |
Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer
|
|
|
3a27f0 |
|
|
|
3a27f0 |
Security problem: CVE-2013-2174
|
|
|
3a27f0 |
|
|
|
3a27f0 |
If a program would give a string like "%FF" to curl_easy_unescape() but
|
|
|
3a27f0 |
ask for it to decode only the first byte, it would still parse and
|
|
|
3a27f0 |
decode the full hex sequence. The function then not only read beyond the
|
|
|
3a27f0 |
allowed buffer but it would also deduct the *unsigned* counter variable
|
|
|
3a27f0 |
for how many more bytes there's left to read in the buffer by two,
|
|
|
3a27f0 |
making the counter wrap. Continuing this, the function would go on
|
|
|
3a27f0 |
reading beyond the buffer and soon writing beyond the allocated target
|
|
|
3a27f0 |
buffer...
|
|
|
3a27f0 |
|
|
|
3a27f0 |
Bug: http://curl.haxx.se/docs/adv_20130622.html
|
|
|
3a27f0 |
Reported-by: Timo Sirainen
|
|
|
3a27f0 |
|
|
|
3a27f0 |
[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737]
|
|
|
3a27f0 |
|
|
|
3a27f0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
3a27f0 |
---
|
|
|
3a27f0 |
lib/escape.c | 3 ++-
|
|
|
3a27f0 |
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
|
3a27f0 |
|
|
|
3a27f0 |
diff --git a/lib/escape.c b/lib/escape.c
|
|
|
3a27f0 |
index 6a26cf8..a567edb 100644
|
|
|
3a27f0 |
--- a/lib/escape.c
|
|
|
3a27f0 |
+++ b/lib/escape.c
|
|
|
3a27f0 |
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
|
|
|
3a27f0 |
|
|
|
3a27f0 |
while(--alloc > 0) {
|
|
|
3a27f0 |
in = *string;
|
|
|
3a27f0 |
- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
|
|
3a27f0 |
+ if(('%' == in) && (alloc > 2) &&
|
|
|
3a27f0 |
+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
|
|
|
3a27f0 |
/* this is two hexadecimal digits following a '%' */
|
|
|
3a27f0 |
char hexstr[3];
|
|
|
3a27f0 |
char *ptr;
|
|
|
3a27f0 |
--
|
|
|
3a27f0 |
1.7.1
|
|
|
3a27f0 |
|