author | Yiteng Zhang <yiteng.zhang@oracle.com> |
Tue, 25 Oct 2016 14:43:21 -0700 | |
branch | s11u3-sru |
changeset 7255 | c7815ed3b336 |
permissions | -rw-r--r-- |
7255
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
1 |
From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001 |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
2 |
From: Daniel Stenberg <[email protected]> |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
3 |
Date: Thu, 8 Sep 2016 22:59:54 +0200 |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] CVE-2016-7167: deny negative string length inputs |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
5 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
6 |
Bug: https://curl.haxx.se/docs/adv_20160914.html |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
7 |
--- |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
8 |
lib/escape.c | 28 ++++++++++++++++++---------- |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
9 |
1 file changed, 18 insertions(+), 10 deletions(-) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
10 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
11 |
--- lib/escape.c |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
12 |
+++ lib/escape.c |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
13 |
@@ -76,18 +76,24 @@ char *curl_unescape(const char *string, int length) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
14 |
} |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
15 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
16 |
char *curl_easy_escape(CURL *handle, const char *string, int inlength) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
17 |
{ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
18 |
- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
19 |
+ size_t alloc; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
20 |
char *ns; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
21 |
char *testing_ptr = NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
22 |
unsigned char in; /* we need to treat the characters unsigned */ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
23 |
- size_t newlen = alloc; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
24 |
+ size_t newlen; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
25 |
size_t strindex=0; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
26 |
size_t length; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
27 |
CURLcode result; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
28 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
29 |
+ if(inlength < 0) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
30 |
+ return NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
31 |
+ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
32 |
+ alloc = (inlength?(size_t)inlength:strlen(string))+1; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
33 |
+ newlen = alloc; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
34 |
+ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
35 |
ns = malloc(alloc); |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
36 |
if(!ns) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
37 |
return NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
38 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
39 |
length = alloc-1; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
40 |
@@ -209,18 +215,20 @@ CURLcode Curl_urldecode(struct Curl_easy *data, |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
41 |
*/ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
42 |
char *curl_easy_unescape(CURL *handle, const char *string, int length, |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
43 |
int *olen) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
44 |
{ |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
45 |
char *str = NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
46 |
- size_t inputlen = length; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
47 |
- size_t outputlen; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
48 |
- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
49 |
- FALSE); |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
50 |
- if(res) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
51 |
- return NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
52 |
- if(olen) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
53 |
- *olen = curlx_uztosi(outputlen); |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
54 |
+ if(length >= 0) { |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
55 |
+ size_t inputlen = length; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
56 |
+ size_t outputlen; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
57 |
+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
58 |
+ FALSE); |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
59 |
+ if(res) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
60 |
+ return NULL; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
61 |
+ if(olen) |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
62 |
+ *olen = curlx_uztosi(outputlen); |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
63 |
+ } |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
64 |
return str; |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
65 |
} |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
66 |
|
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
67 |
/* For operating systems/environments that use different malloc/free |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
68 |
systems for the app and for this library, we provide a free that uses |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
69 |
-- |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
70 |
2.9.3 |
c7815ed3b336
24409713 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
71 |