escape: add a length check in curl_easy_escape

Only accept up to SIZE_MAX/16 input bytes. To avoid overflows, mistakes
and abuse.

Follow-up to 9bfc7f9234

Reported-by: Daniel Santos

Closes #20086
This commit is contained in:
Daniel Stenberg 2025-12-24 00:09:37 +01:00
parent 8636ad55df
commit 76e7d496b6
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
2 changed files with 4 additions and 2 deletions

View file

@ -62,6 +62,9 @@ char *curl_easy_escape(CURL *data, const char *string, int inlength)
if(!length)
return curlx_strdup("");
if(length > SIZE_MAX/16)
return NULL;
curlx_dyn_init(&d, length * 3 + 1);
while(length--) {