romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 01:21:44 +03:00
Code Issues Projects Releases Packages Wiki Activity

tool_urlglob: add integer overflow protection

Browse source 
It is most likely impossible to actually overflow, but this makes it
certain.

Closes #18398
This commit is contained in:
Daniel Stenberg 2025-08-26 08:56:07 +02:00
parent 57d349fe0e
commit fef318553b
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/tool_urlglob.c
View file

@ -124,17 +124,21 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
/* add 1 to size since it will be incremented below */
if(multiply(amount, pat->c.set.size + 1))
return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
done = TRUE;
FALLTHROUGH();
case ',':
if(pat->c.set.elem) {
char **new_arr = realloc(pat->c.set.elem,
(size_t)(pat->c.set.size + 1) *
sizeof(char *));
if(!new_arr)
char **arr;
if(pat->c.set.size >= (curl_off_t)(SIZE_T_MAX/(sizeof(char *))))
return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
arr = realloc(pat->c.set.elem, (size_t)(pat->c.set.size + 1) *
sizeof(char *));
if(!arr)
return globerror(glob, NULL, 0, CURLE_OUT_OF_MEMORY);
pat->c.set.elem = new_arr;
pat->c.set.elem = arr;
}
else
pat->c.set.elem = malloc(sizeof(char *));
@ -149,14 +153,9 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
++pat->c.set.size;
curlx_dyn_reset(&glob->buf);
if(*pattern == '}') {
pattern++; /* pass the closing brace */
done = TRUE;
continue;
}
++pattern;
++(*posp);
if(!done)
++(*posp);
break;
case ']': /* illegal closing bracket */