File curl-CVE-2016-7167.patch of Package curl.6669

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2016-7167.patch of Package curl.6669

From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 8 Sep 2016 22:59:54 +0200
Subject: [PATCH] CVE-2016-7167: deny negative string length inputs

Bug: https://curl.haxx.se/docs/adv_20160914.html
---
 lib/escape.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

Index: curl-7.37.0/lib/escape.c
===================================================================
--- curl-7.37.0.orig/lib/escape.c	2016-10-21 14:04:31.426252033 +0200
+++ curl-7.37.0/lib/escape.c	2016-10-21 14:04:44.842340871 +0200
@@ -80,15 +80,21 @@ char *curl_unescape(const char *string,
 
 char *curl_easy_escape(CURL *handle, const char *string, int inlength)
 {
-  size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;
+  size_t alloc;
   char *ns;
   char *testing_ptr = NULL;
   unsigned char in; /* we need to treat the characters unsigned */
-  size_t newlen = alloc;
+  size_t newlen;
   size_t strindex=0;
   size_t length;
   CURLcode res;
 
+  if(inlength < 0)
+    return NULL;
+
+  alloc = (inlength?(size_t)inlength:strlen(string))+1;
+  newlen = alloc;
+
   ns = malloc(alloc);
   if(!ns)
     return NULL;
@@ -212,6 +218,7 @@ char *curl_easy_unescape(CURL *handle, c
                          int *olen)
 {
   char *str = NULL;
+  if(length >= 0) {
   size_t inputlen = length;
   size_t outputlen;
   CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
@@ -220,6 +227,7 @@ char *curl_easy_unescape(CURL *handle, c
     return NULL;
   if(olen)
     *olen = curlx_uztosi(outputlen);
+  }
   return str;
 }

Places

File curl-CVE-2016-7167.patch of Package curl.6669

Places