File curl-CVE-2013-2174.patch of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2013-2174.patch of Package curl

commit 45030219bf8b44270d40fc62e8a02411612d00cc
Author: Daniel Stenberg <daniel@haxx.se>
Date:   Sun May 19 23:24:29 2013 +0200

Curl_urldecode: no peaking beyond end of input buffer
    
    Security problem: ....
    
    If a program would give a string like "%" to curl_easy_unescape(), it
    would still consider the % as start of an encoded character. The
    function then not only read beyond the buffer but it would also deduct
    the *unsigned* counter variable for how many more bytes there's left to
    read in the buffer by two, making the counter wrap. Continuing this, the
    function would go on reading beyond the buffer and soon writing beyond
    the allocated target buffer...
    
    Reported-by: Timo Sirainen

Index: curl-7.19.0/lib/escape.c
===================================================================
--- curl-7.19.0.orig/lib/escape.c	2013-06-13 12:17:06.251345362 +0200
+++ curl-7.19.0/lib/escape.c	2013-06-13 12:17:07.228374970 +0200
@@ -149,7 +149,8 @@ char *curl_easy_unescape(CURL *handle, c
 
   while(--alloc > 0) {
     in = *string;
-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+    if(('%' == in) && (alloc > 2) &&
+       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
       /* this is two hexadecimal digits following a '%' */
       char hexstr[3];
       char *ptr;

Places

File curl-CVE-2013-2174.patch of Package curl

Places