|
1 From 71da91453899ba20b28ee9712620e323145a0ee5 Mon Sep 17 00:00:00 2001 |
|
2 From: Daniel Stenberg <[email protected]> |
|
3 Date: Tue, 4 Oct 2016 18:56:45 +0200 |
|
4 Subject: [PATCH] unescape: avoid integer overflow |
|
5 |
|
6 CVE-2016-8622 |
|
7 |
|
8 Bug: https://curl.haxx.se/docs/adv_20161102H.html |
|
9 Reported-by: Cure53 |
|
10 --- |
|
11 docs/libcurl/curl_easy_unescape.3 | 7 +++++-- |
|
12 lib/dict.c | 10 +++++----- |
|
13 lib/escape.c | 10 ++++++++-- |
|
14 3 files changed, 18 insertions(+), 9 deletions(-) |
|
15 |
|
16 --- docs/libcurl/curl_easy_unescape.3 |
|
17 +++ docs/libcurl/curl_easy_unescape.3 |
|
18 @@ -3,11 +3,11 @@ |
|
19 .\" * Project ___| | | | _ \| | |
|
20 .\" * / __| | | | |_) | | |
|
21 .\" * | (__| |_| | _ <| |___ |
|
22 .\" * \___|\___/|_| \_\_____| |
|
23 .\" * |
|
24 -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <[email protected]>, et al. |
|
25 +.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al. |
|
26 .\" * |
|
27 .\" * This software is licensed as described in the file COPYING, which |
|
28 .\" * you should have received as part of this distribution. The terms |
|
29 .\" * are also available at https://curl.haxx.se/docs/copyright.html. |
|
30 .\" * |
|
31 @@ -38,11 +38,14 @@ their binary versions. |
|
32 If the \fBlength\fP argument is set to 0 (zero), \fIcurl_easy_unescape(3)\fP |
|
33 will use strlen() on the input \fIurl\fP string to find out the size. |
|
34 |
|
35 If \fBoutlength\fP is non-NULL, the function will write the length of the |
|
36 returned string in the integer it points to. This allows an escaped string |
|
37 -containing %00 to still get used properly after unescaping. |
|
38 +containing %00 to still get used properly after unescaping. Since this is a |
|
39 +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no |
|
40 +longer string can be unescaped if the string length is returned in this |
|
41 +parameter. |
|
42 |
|
43 You must \fIcurl_free(3)\fP the returned string when you're done with it. |
|
44 .SH AVAILABILITY |
|
45 Added in 7.15.4 and replaces the old \fIcurl_unescape(3)\fP function. |
|
46 .SH RETURN VALUE |
|
47 --- lib/dict.c |
|
48 +++ lib/dict.c |
|
49 @@ -3,11 +3,11 @@ |
|
50 * Project ___| | | | _ \| | |
|
51 * / __| | | | |_) | | |
|
52 * | (__| |_| | _ <| |___ |
|
53 * \___|\___/|_| \_\_____| |
|
54 * |
|
55 - * Copyright (C) 1998 - 2015, Daniel Stenberg, <[email protected]>, et al. |
|
56 + * Copyright (C) 1998 - 2016, Daniel Stenberg, <[email protected]>, et al. |
|
57 * |
|
58 * This software is licensed as described in the file COPYING, which |
|
59 * you should have received as part of this distribution. The terms |
|
60 * are also available at https://curl.haxx.se/docs/copyright.html. |
|
61 * |
|
62 @@ -50,11 +50,11 @@ |
|
63 |
|
64 #include "urldata.h" |
|
65 #include <curl/curl.h> |
|
66 #include "transfer.h" |
|
67 #include "sendf.h" |
|
68 - |
|
69 +#include "escape.h" |
|
70 #include "progress.h" |
|
71 #include "strequal.h" |
|
72 #include "dict.h" |
|
73 #include "rawstr.h" |
|
74 #include "curl_memory.h" |
|
75 @@ -94,16 +94,16 @@ const struct Curl_handler Curl_handler_dict = { |
|
76 static char *unescape_word(struct Curl_easy *data, const char *inputbuff) |
|
77 { |
|
78 char *newp; |
|
79 char *dictp; |
|
80 char *ptr; |
|
81 - int len; |
|
82 + size_t len; |
|
83 char ch; |
|
84 int olen=0; |
|
85 |
|
86 - newp = curl_easy_unescape(data, inputbuff, 0, &len); |
|
87 - if(!newp) |
|
88 + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); |
|
89 + if(!newp || result) |
|
90 return NULL; |
|
91 |
|
92 dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ |
|
93 if(dictp) { |
|
94 /* According to RFC2229 section 2.2, these letters need to be escaped with |
|
95 --- lib/escape.c |
|
96 +++ lib/escape.c |
|
97 @@ -222,12 +222,18 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, |
|
98 size_t outputlen; |
|
99 CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, |
|
100 FALSE); |
|
101 if(res) |
|
102 return NULL; |
|
103 - if(olen) |
|
104 - *olen = curlx_uztosi(outputlen); |
|
105 + |
|
106 + if(olen) { |
|
107 + if(outputlen <= (size_t) INT_MAX) |
|
108 + *olen = curlx_uztosi(outputlen); |
|
109 + else |
|
110 + /* too large to return in an int, fail! */ |
|
111 + Curl_safefree(str); |
|
112 + } |
|
113 } |
|
114 return str; |
|
115 } |
|
116 |
|
117 /* For operating systems/environments that use different malloc/free |
|
118 -- |
|
119 2.9.3 |
|
120 |