1 CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function

     2 in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote

     3 attackers to cause a denial of service (application crash) or possibly

     4 execute arbitrary code via a crafted string ending in a "%" (percent)

     5 character.

     6 

     7 CVE webpage for this problem:

     8 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174

     9 

    10 Relevant upstream patch at:

    11 https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737

    12 

    13 --- lib/escape.c.orig	2013-08-27 05:41:07.197713748 -0700

    14 +++ lib/escape.c	2013-08-27 05:42:54.003927843 -0700

    15 @@ -5,7 +5,7 @@

    16   *                            | (__| |_| |  _ <| |___

    17   *                             \___|\___/|_| \_\_____|

    18   *

    19 - * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.

    20 + * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.

    21   *

    22   * This software is licensed as described in the file COPYING, which

    23   * you should have received as part of this distribution. The terms

    24 @@ -165,7 +165,8 @@

    25  

    26    while(--alloc > 0) {

    27      in = *string;

    28 -    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {

    29 +    if(('%' == in) && (alloc > 2) &&

    30 +       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {

    31        /* this is two hexadecimal digits following a '%' */

    32        char hexstr[3];

    33        char *ptr;