Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
curl.10931
curl-CVE-2016-8622.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2016-8622.patch of Package curl.10931
From 635590efc040a58a8ce7c9bd8ed84ff2933737cb Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 4 Oct 2016 18:56:45 +0200 Subject: [PATCH] unescape: avoid integer overflow --- docs/libcurl/curl_easy_unescape.3 | 7 +++++-- lib/dict.c | 10 +++++----- lib/escape.c | 10 ++++++++-- 3 files changed, 18 insertions(+), 9 deletions(-) Index: curl-7.37.0/docs/libcurl/curl_easy_unescape.3 =================================================================== --- curl-7.37.0.orig/docs/libcurl/curl_easy_unescape.3 2016-10-24 11:30:46.595821069 +0200 +++ curl-7.37.0/docs/libcurl/curl_easy_unescape.3 2016-10-24 11:30:48.139844505 +0200 @@ -40,7 +40,10 @@ will use strlen() on the input \fIurl\fP If \fBoutlength\fP is non-NULL, the function will write the length of the returned string in the integer it points to. This allows an escaped string -containing %00 to still get used properly after unescaping. +containing %00 to still get used properly after unescaping. Since this is a +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no +longer string can be unescaped if the string length is returned in this +parameter. You must \fIcurl_free(3)\fP the returned string when you're done with it. .SH AVAILABILITY Index: curl-7.37.0/lib/dict.c =================================================================== --- curl-7.37.0.orig/lib/dict.c 2016-10-24 11:30:46.595821069 +0200 +++ curl-7.37.0/lib/dict.c 2016-10-24 11:30:48.139844505 +0200 @@ -52,7 +52,7 @@ #include <curl/curl.h> #include "transfer.h" #include "sendf.h" - +#include "escape.h" #include "progress.h" #include "strequal.h" #include "dict.h" @@ -100,12 +100,12 @@ static char *unescape_word(struct Sessio char *newp; char *dictp; char *ptr; - int len; + size_t len; char byte; int olen=0; - newp = curl_easy_unescape(data, inputbuff, 0, &len); - if(!newp) + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); + if(!newp || result) return NULL; dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ Index: curl-7.37.0/lib/escape.c =================================================================== --- curl-7.37.0.orig/lib/escape.c 2016-10-24 11:30:48.139844505 +0200 +++ curl-7.37.0/lib/escape.c 2016-10-24 11:31:40.904648797 +0200 @@ -225,8 +225,13 @@ char *curl_easy_unescape(CURL *handle, c FALSE); if(res) return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + if(olen) { + if(outputlen <= (size_t) INT_MAX) + *olen = curlx_uztosi(outputlen); + else + /* too large to return in an int, fail! */ + Curl_safefree(str); + } } return str; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor