1 From 71da91453899ba20b28ee9712620e323145a0ee5 Mon Sep 17 00:00:00 2001

     2 From: Daniel Stenberg <[email protected]>

     3 Date: Tue, 4 Oct 2016 18:56:45 +0200

     4 Subject: [PATCH] unescape: avoid integer overflow

     5 

     6 CVE-2016-8622

     7 

     8 Bug: https://curl.haxx.se/docs/adv_20161102H.html

     9 Reported-by: Cure53

    10 ---

    11  docs/libcurl/curl_easy_unescape.3 |  7 +++++--

    12  lib/dict.c                        | 10 +++++-----

    13  lib/escape.c                      | 10 ++++++++--

    14  3 files changed, 18 insertions(+), 9 deletions(-)

    15 

    16 --- docs/libcurl/curl_easy_unescape.3

    17 +++ docs/libcurl/curl_easy_unescape.3

    18 @@ -3,11 +3,11 @@

    19  .\" *  Project                     ___| | | |  _ \| |

    20  .\" *                             / __| | | | |_) | |

    21  .\" *                            | (__| |_| |  _ <| |___

    22  .\" *                             \___|\___/|_| \_\_____|

    23  .\" *

    24 -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <[email protected]>, et al.

    25 +.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al.

    26  .\" *

    27  .\" * This software is licensed as described in the file COPYING, which

    28  .\" * you should have received as part of this distribution. The terms

    29  .\" * are also available at https://curl.haxx.se/docs/copyright.html.

    30  .\" *

    31 @@ -38,11 +38,14 @@ their binary versions.

    32  If the \fBlength\fP argument is set to 0 (zero), \fIcurl_easy_unescape(3)\fP

    33  will use strlen() on the input \fIurl\fP string to find out the size.

    34  

    35  If \fBoutlength\fP is non-NULL, the function will write the length of the

    36  returned string in the integer it points to. This allows an escaped string

    37 -containing %00 to still get used properly after unescaping.

    38 +containing %00 to still get used properly after unescaping. Since this is a

    39 +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no

    40 +longer string can be unescaped if the string length is returned in this

    41 +parameter.

    42  

    43  You must \fIcurl_free(3)\fP the returned string when you're done with it.

    44  .SH AVAILABILITY

    45  Added in 7.15.4 and replaces the old \fIcurl_unescape(3)\fP function.

    46  .SH RETURN VALUE

    47 --- lib/dict.c

    48 +++ lib/dict.c

    49 @@ -3,11 +3,11 @@

    50   *  Project                     ___| | | |  _ \| |

    51   *                             / __| | | | |_) | |

    52   *                            | (__| |_| |  _ <| |___

    53   *                             \___|\___/|_| \_\_____|

    54   *

    55 - * Copyright (C) 1998 - 2015, Daniel Stenberg, <[email protected]>, et al.

    56 + * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al.

    57   *

    58   * This software is licensed as described in the file COPYING, which

    59   * you should have received as part of this distribution. The terms

    60   * are also available at https://curl.haxx.se/docs/copyright.html.

    61   *

    62 @@ -50,11 +50,11 @@

    63  

    64  #include "urldata.h"

    65  #include <curl/curl.h>

    66  #include "transfer.h"

    67  #include "sendf.h"

    68 -

    69 +#include "escape.h"

    70  #include "progress.h"

    71  #include "strequal.h"

    72  #include "dict.h"

    73  #include "rawstr.h"

    74  #include "curl_memory.h"

    75 @@ -94,16 +94,16 @@ const struct Curl_handler Curl_handler_dict = {

    76  static char *unescape_word(struct Curl_easy *data, const char *inputbuff)

    77  {

    78    char *newp;

    79    char *dictp;

    80    char *ptr;

    81 -  int len;

    82 +  size_t len;

    83    char ch;

    84    int olen=0;

    85  

    86 -  newp = curl_easy_unescape(data, inputbuff, 0, &len);

    87 -  if(!newp)

    88 +  CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE);

    89 +  if(!newp || result)

    90      return NULL;

    91  

    92    dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */

    93    if(dictp) {

    94      /* According to RFC2229 section 2.2, these letters need to be escaped with

    95 --- lib/escape.c

    96 +++ lib/escape.c

    97 @@ -222,12 +222,18 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,

    98      size_t outputlen;

    99      CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,

   100                                    FALSE);

   101      if(res)

   102        return NULL;

   103 -    if(olen)

   104 -      *olen = curlx_uztosi(outputlen);

   105 +

   106 +    if(olen) {

   107 +      if(outputlen <= (size_t) INT_MAX)

   108 +        *olen = curlx_uztosi(outputlen);

   109 +      else

   110 +        /* too large to return in an int, fail! */

   111 +        Curl_safefree(str);

   112 +    }

   113    }

   114    return str;

   115  }

   116  

   117  /* For operating systems/environments that use different malloc/free

   118 -- 

   119 2.9.3

   120