romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-29 00:22:11 +03:00
Code Issues Projects Releases Packages Wiki Activity

curl_easy_unescape: deny negative string lengths as input

Browse source 
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
This commit is contained in:
Daniel Stenberg 2016-09-13 23:00:50 +02:00
parent 826a9ced2b
commit 01cf1308ee
1 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
lib/escape.c
View file

@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
int length, int *olen)
{
char *str = NULL;
size_t inputlen = length;
size_t outputlen;
CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
FALSE);
if(res)
return NULL;
if(olen)
*olen = curlx_uztosi(outputlen);
if(length >= 0) {
size_t inputlen = length;
size_t outputlen;
CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen,
FALSE);
if(res)
return NULL;
if(olen)
*olen = curlx_uztosi(outputlen);
}
return str;
}