equal
deleted
inserted
replaced
|
1 From 3599341dd611303ee9544839d30f603f606d1082 Mon Sep 17 00:00:00 2001 |
|
2 From: Daniel Stenberg <[email protected]> |
|
3 Date: Wed, 28 Sep 2016 00:05:12 +0200 |
|
4 Subject: [PATCH] base64: check for integer overflow on large input |
|
5 |
|
6 CVE-2016-8617 |
|
7 |
|
8 Bug: https://curl.haxx.se/docs/adv_20161102C.html |
|
9 Reported-by: Cure53 |
|
10 --- |
|
11 lib/base64.c | 5 +++++ |
|
12 1 file changed, 5 insertions(+) |
|
13 |
|
14 --- lib/base64.c |
|
15 +++ lib/base64.c |
|
16 @@ -188,10 +188,15 @@ static CURLcode base64_encode(const char *table64, |
|
17 *outlen = 0; |
|
18 |
|
19 if(0 == insize) |
|
20 insize = strlen(indata); |
|
21 |
|
22 +#if SIZEOF_SIZE_T == 4 |
|
23 + if(insize > UINT_MAX/4) |
|
24 + return CURLE_OUT_OF_MEMORY; |
|
25 +#endif |
|
26 + |
|
27 base64data = output = malloc(insize*4/3+4); |
|
28 if(NULL == output) |
|
29 return CURLE_OUT_OF_MEMORY; |
|
30 |
|
31 /* |
|
32 -- |
|
33 2.9.3 |
|
34 |