File curl-CVE-2016-8622.patch of Package curl.6139

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2016-8622.patch of Package curl.6139

From 635590efc040a58a8ce7c9bd8ed84ff2933737cb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 18:56:45 +0200
Subject: [PATCH] unescape: avoid integer overflow

---
 docs/libcurl/curl_easy_unescape.3 |  7 +++++--
 lib/dict.c                        | 10 +++++-----
 lib/escape.c                      | 10 ++++++++--
 3 files changed, 18 insertions(+), 9 deletions(-)

Index: curl-7.37.0/docs/libcurl/curl_easy_unescape.3
===================================================================
--- curl-7.37.0.orig/docs/libcurl/curl_easy_unescape.3	2016-10-24 11:30:46.595821069 +0200
+++ curl-7.37.0/docs/libcurl/curl_easy_unescape.3	2016-10-24 11:30:48.139844505 +0200
@@ -40,7 +40,10 @@ will use strlen() on the input \fIurl\fP
 
 If \fBoutlength\fP is non-NULL, the function will write the length of the
 returned string in the integer it points to. This allows an escaped string
-containing %00 to still get used properly after unescaping.
+containing %00 to still get used properly after unescaping. Since this is a
+pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no
+longer string can be unescaped if the string length is returned in this
+parameter.
 
 You must \fIcurl_free(3)\fP the returned string when you're done with it.
 .SH AVAILABILITY
Index: curl-7.37.0/lib/dict.c
===================================================================
--- curl-7.37.0.orig/lib/dict.c	2016-10-24 11:30:46.595821069 +0200
+++ curl-7.37.0/lib/dict.c	2016-10-24 11:30:48.139844505 +0200
@@ -52,7 +52,7 @@
 #include <curl/curl.h>
 #include "transfer.h"
 #include "sendf.h"
-
+#include "escape.h"
 #include "progress.h"
 #include "strequal.h"
 #include "dict.h"
@@ -100,12 +100,12 @@ static char *unescape_word(struct Sessio
   char *newp;
   char *dictp;
   char *ptr;
-  int len;
+  size_t len;
   char byte;
   int olen=0;
 
-  newp = curl_easy_unescape(data, inputbuff, 0, &len);
-  if(!newp)
+  CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE);
+  if(!newp || result)
     return NULL;
 
   dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */
Index: curl-7.37.0/lib/escape.c
===================================================================
--- curl-7.37.0.orig/lib/escape.c	2016-10-24 11:30:48.139844505 +0200
+++ curl-7.37.0/lib/escape.c	2016-10-24 11:31:40.904648797 +0200
@@ -225,8 +225,13 @@ char *curl_easy_unescape(CURL *handle, c
                                 FALSE);
   if(res)
     return NULL;
-  if(olen)
-    *olen = curlx_uztosi(outputlen);
+  if(olen) {
+    if(outputlen <= (size_t) INT_MAX)
+      *olen = curlx_uztosi(outputlen);
+    else
+      /* too large to return in an int, fail! */
+      Curl_safefree(str);
+  }
   }
   return str;
 }

Places

File curl-CVE-2016-8622.patch of Package curl.6139

Places