File curl-CVE-2016-8622.patch of Package curl.openSUSE_Leap_42.3_Update
From 635590efc040a58a8ce7c9bd8ed84ff2933737cb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 18:56:45 +0200
Subject: [PATCH] unescape: avoid integer overflow
---
docs/libcurl/curl_easy_unescape.3 | 7 +++++--
lib/dict.c | 10 +++++-----
lib/escape.c | 10 ++++++++--
3 files changed, 18 insertions(+), 9 deletions(-)
Index: curl-7.37.0/docs/libcurl/curl_easy_unescape.3
===================================================================
--- curl-7.37.0.orig/docs/libcurl/curl_easy_unescape.3 2016-10-24 11:30:46.595821069 +0200
+++ curl-7.37.0/docs/libcurl/curl_easy_unescape.3 2016-10-24 11:30:48.139844505 +0200
@@ -40,7 +40,10 @@ will use strlen() on the input \fIurl\fP
If \fBoutlength\fP is non-NULL, the function will write the length of the
returned string in the integer it points to. This allows an escaped string
-containing %00 to still get used properly after unescaping.
+containing %00 to still get used properly after unescaping. Since this is a
+pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no
+longer string can be unescaped if the string length is returned in this
+parameter.
You must \fIcurl_free(3)\fP the returned string when you're done with it.
.SH AVAILABILITY
Index: curl-7.37.0/lib/dict.c
===================================================================
--- curl-7.37.0.orig/lib/dict.c 2016-10-24 11:30:46.595821069 +0200
+++ curl-7.37.0/lib/dict.c 2016-10-24 11:30:48.139844505 +0200
@@ -52,7 +52,7 @@
#include <curl/curl.h>
#include "transfer.h"
#include "sendf.h"
-
+#include "escape.h"
#include "progress.h"
#include "strequal.h"
#include "dict.h"
@@ -100,12 +100,12 @@ static char *unescape_word(struct Sessio
char *newp;
char *dictp;
char *ptr;
- int len;
+ size_t len;
char byte;
int olen=0;
- newp = curl_easy_unescape(data, inputbuff, 0, &len);
- if(!newp)
+ CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE);
+ if(!newp || result)
return NULL;
dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */
Index: curl-7.37.0/lib/escape.c
===================================================================
--- curl-7.37.0.orig/lib/escape.c 2016-10-24 11:30:48.139844505 +0200
+++ curl-7.37.0/lib/escape.c 2016-10-24 11:31:40.904648797 +0200
@@ -225,8 +225,13 @@ char *curl_easy_unescape(CURL *handle, c
FALSE);
if(res)
return NULL;
- if(olen)
- *olen = curlx_uztosi(outputlen);
+ if(olen) {
+ if(outputlen <= (size_t) INT_MAX)
+ *olen = curlx_uztosi(outputlen);
+ else
+ /* too large to return in an int, fail! */
+ Curl_safefree(str);
+ }
}
return str;
}
