From 7959c5713bbec03c9284a14b1fdd7379520199bc Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 8 Sep 2016 22:59:54 +0200 Subject: [PATCH 1/2] curl_easy_escape: deny negative string lengths as input CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html Upstream-commit: 826a9ced2bed217155e34065ef4048931f327b1e Signed-off-by: Kamil Dudka --- lib/escape.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/escape.c b/lib/escape.c index 40338a9..c6aa3b9 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -80,15 +80,21 @@ char *curl_unescape(const char *string, int length) char *curl_easy_escape(CURL *handle, const char *string, int inlength) { - size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; + size_t alloc; char *ns; char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ - size_t newlen = alloc; + size_t newlen; size_t strindex=0; size_t length; CURLcode res; + if(inlength < 0) + return NULL; + + alloc = (inlength?(size_t)inlength:strlen(string))+1; + newlen = alloc; + ns = malloc(alloc); if(!ns) return NULL; -- 2.7.4 From 6a280152e3893938e5d26f5d535613eefab80b5a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 13 Sep 2016 23:00:50 +0200 Subject: [PATCH 2/2] curl_easy_unescape: deny negative string lengths as input CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html Upstream-commit: 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae Signed-off-by: Kamil Dudka --- lib/escape.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/escape.c b/lib/escape.c index c6aa3b9..808ac6c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -219,14 +219,16 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, int *olen) { char *str = NULL; - size_t inputlen = length; - size_t outputlen; - CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, - FALSE); - if(res) - return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + if(length >= 0) { + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + } return str; } -- 2.7.4