romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 21:31:42 +03:00
Code Issues Projects Releases Packages Wiki Activity

escape: add a length check in curl_easy_escape

Browse source 
Only accept up to SIZE_MAX/16 input bytes. To avoid overflows, mistakes
and abuse.

Follow-up to 9bfc7f9234

Reported-by: Daniel Santos

Closes #20086
This commit is contained in:
Daniel Stenberg 2025-12-24 00:09:37 +01:00
parent 8636ad55df
commit 76e7d496b6
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/libcurl/curl_easy_escape.md
View file

@ -34,8 +34,7 @@ A-Z, 0-9, '-', '.', '_' or '~' are converted to their "URL escaped" version
constrained by its type, the returned string may not be altered.
If *length* is set to 0 (zero), curl_easy_escape(3) uses strlen() on the input
*string* to find out the size. This function does not accept input strings
longer than **CURL_MAX_INPUT_LENGTH** (8 MB).
*string* to find out the size.
You must curl_free(3) the returned string when you are done with it.

3
lib/escape.c
View file

@ -62,6 +62,9 @@ char *curl_easy_escape(CURL *data, const char *string, int inlength)
if(!length)
return curlx_strdup("");
if(length > SIZE_MAX/16)
return NULL;
curlx_dyn_init(&d, length * 3 + 1);
while(length--) {