equal
deleted
inserted
replaced
1 CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function |
|
2 in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote |
|
3 attackers to cause a denial of service (application crash) or possibly |
|
4 execute arbitrary code via a crafted string ending in a "%" (percent) |
|
5 character. |
|
6 |
|
7 CVE webpage for this problem: |
|
8 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 |
|
9 |
|
10 Relevant upstream patch at: |
|
11 https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737 |
|
12 |
|
13 --- lib/escape.c.orig 2013-08-27 05:41:07.197713748 -0700 |
|
14 +++ lib/escape.c 2013-08-27 05:42:54.003927843 -0700 |
|
15 @@ -5,7 +5,7 @@ |
|
16 * | (__| |_| | _ <| |___ |
|
17 * \___|\___/|_| \_\_____| |
|
18 * |
|
19 - * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al. |
|
20 + * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al. |
|
21 * |
|
22 * This software is licensed as described in the file COPYING, which |
|
23 * you should have received as part of this distribution. The terms |
|
24 @@ -165,7 +165,8 @@ |
|
25 |
|
26 while(--alloc > 0) { |
|
27 in = *string; |
|
28 - if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
|
29 + if(('%' == in) && (alloc > 2) && |
|
30 + ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
|
31 /* this is two hexadecimal digits following a '%' */ |
|
32 char hexstr[3]; |
|
33 char *ptr; |
|