components/curl/patches/008-CVE-2013-2174.patch
changeset 1449 d430caca2495
equal deleted inserted replaced
1448:3288b0639de6 1449:d430caca2495
       
     1 CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function
       
     2 in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote
       
     3 attackers to cause a denial of service (application crash) or possibly
       
     4 execute arbitrary code via a crafted string ending in a "%" (percent)
       
     5 character.
       
     6 
       
     7 CVE webpage for this problem:
       
     8 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
       
     9 
       
    10 Relevant upstream patch at:
       
    11 https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737
       
    12 
       
    13 --- lib/escape.c.orig	2013-08-20 17:09:51.197431224 -0700
       
    14 +++ lib/escape.c	2013-08-20 17:10:43.746809478 -0700
       
    15 @@ -5,7 +5,7 @@
       
    16   *                            | (__| |_| |  _ <| |___
       
    17   *                             \___|\___/|_| \_\_____|
       
    18   *
       
    19 - * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al.
       
    20 + * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
       
    21   *
       
    22   * This software is licensed as described in the file COPYING, which
       
    23   * you should have received as part of this distribution. The terms
       
    24 @@ -159,7 +159,8 @@
       
    25  
       
    26    while(--alloc > 0) {
       
    27      in = *string;
       
    28 -    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
       
    29 +    if(('%' == in) && (alloc > 2) &&
       
    30 +       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
       
    31        /* this is two hexadecimal digits following a '%' */
       
    32        char hexstr[3];
       
    33        char *ptr;