|
|
c260e0 |
From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
c260e0 |
Date: Thu, 8 Sep 2016 22:59:54 +0200
|
|
|
c260e0 |
Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input
|
|
|
c260e0 |
|
|
|
c260e0 |
CVE-2016-7167
|
|
|
c260e0 |
|
|
|
c260e0 |
Bug: https://curl.haxx.se/docs/adv_20160914.html
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
lib/escape.c | 10 ++++++++--
|
|
|
c260e0 |
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/lib/escape.c b/lib/escape.c
|
|
|
c260e0 |
index 40338a9..c6aa3b9 100644
|
|
|
c260e0 |
--- a/lib/escape.c
|
|
|
c260e0 |
+++ b/lib/escape.c
|
|
|
c260e0 |
@@ -80,15 +80,21 @@ char *curl_unescape(const char *string, int length)
|
|
|
c260e0 |
|
|
|
c260e0 |
char *curl_easy_escape(CURL *handle, const char *string, int inlength)
|
|
|
c260e0 |
{
|
|
|
c260e0 |
- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
|
|
|
c260e0 |
+ size_t alloc;
|
|
|
c260e0 |
char *ns;
|
|
|
c260e0 |
char *testing_ptr = NULL;
|
|
|
c260e0 |
unsigned char in; /* we need to treat the characters unsigned */
|
|
|
c260e0 |
- size_t newlen = alloc;
|
|
|
c260e0 |
+ size_t newlen;
|
|
|
c260e0 |
size_t strindex=0;
|
|
|
c260e0 |
size_t length;
|
|
|
c260e0 |
CURLcode res;
|
|
|
c260e0 |
|
|
|
c260e0 |
+ if(inlength < 0)
|
|
|
c260e0 |
+ return NULL;
|
|
|
c260e0 |
+
|
|
|
c260e0 |
+ alloc = (inlength?(size_t)inlength:strlen(string))+1;
|
|
|
c260e0 |
+ newlen = alloc;
|
|
|
c260e0 |
+
|
|
|
c260e0 |
ns = malloc(alloc);
|
|
|
c260e0 |
if(!ns)
|
|
|
c260e0 |
return NULL;
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.7.4
|
|
|
c260e0 |
|
|
|
c260e0 |
|
|
|
c260e0 |
From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
c260e0 |
Date: Tue, 13 Sep 2016 23:00:50 +0200
|
|
|
c260e0 |
Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input
|
|
|
c260e0 |
|
|
|
c260e0 |
CVE-2016-7167
|
|
|
c260e0 |
|
|
|
c260e0 |
Bug: https://curl.haxx.se/docs/adv_20160914.html
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
lib/escape.c | 18 ++++++++++--------
|
|
|
c260e0 |
1 file changed, 10 insertions(+), 8 deletions(-)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/lib/escape.c b/lib/escape.c
|
|
|
c260e0 |
index c6aa3b9..808ac6c 100644
|
|
|
c260e0 |
--- a/lib/escape.c
|
|
|
c260e0 |
+++ b/lib/escape.c
|
|
|
c260e0 |
@@ -219,14 +219,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
|
|
|
c260e0 |
int *olen)
|
|
|
c260e0 |
{
|
|
|
c260e0 |
char *str = NULL;
|
|
|
c260e0 |
- size_t inputlen = length;
|
|
|
c260e0 |
- size_t outputlen;
|
|
|
c260e0 |
- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
|
|
|
c260e0 |
- FALSE);
|
|
|
c260e0 |
- if(res)
|
|
|
c260e0 |
- return NULL;
|
|
|
c260e0 |
- if(olen)
|
|
|
c260e0 |
- *olen = curlx_uztosi(outputlen);
|
|
|
c260e0 |
+ if(length >= 0) {
|
|
|
c260e0 |
+ size_t inputlen = length;
|
|
|
c260e0 |
+ size_t outputlen;
|
|
|
c260e0 |
+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
|
|
|
c260e0 |
+ FALSE);
|
|
|
c260e0 |
+ if(res)
|
|
|
c260e0 |
+ return NULL;
|
|
|
c260e0 |
+ if(olen)
|
|
|
c260e0 |
+ *olen = curlx_uztosi(outputlen);
|
|
|
c260e0 |
+ }
|
|
|
c260e0 |
return str;
|
|
|
c260e0 |
}
|
|
|
c260e0 |
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.7.4
|
|
|
c260e0 |
|