From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Thu, 8 Sep 2016 22:59:54 +0200

Subject: [PATCH] CVE-2016-7167: deny negative string length inputs

Bug: https://curl.haxx.se/docs/adv_20160914.html

---

lib/escape.c | 28 ++++++++++++++++++----------

1 file changed, 18 insertions(+), 10 deletions(-)

--- lib/escape.c

+++ lib/escape.c

@@ -76,18 +76,24 @@ char *curl_unescape(const char *string, int length)

}

char *curl_easy_escape(CURL *handle, const char *string, int inlength)

{

- size_t alloc = (inlength?(size_t)inlength:strlen(string))+1;

+ size_t alloc;

char *ns;

char *testing_ptr = NULL;

unsigned char in; /* we need to treat the characters unsigned */

- size_t newlen = alloc;

+ size_t newlen;

size_t strindex=0;

size_t length;

CURLcode result;

+ if(inlength < 0)

+ return NULL;

+

+ alloc = (inlength?(size_t)inlength:strlen(string))+1;

+ newlen = alloc;

+

ns = malloc(alloc);

if(!ns)

return NULL;

length = alloc-1;

@@ -209,18 +215,20 @@ CURLcode Curl_urldecode(struct Curl_easy *data,

*/

char *curl_easy_unescape(CURL *handle, const char *string, int length,

int *olen)

{

char *str = NULL;

- size_t inputlen = length;

- size_t outputlen;

- CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,

- FALSE);

- if(res)

- return NULL;

- if(olen)

- *olen = curlx_uztosi(outputlen);

+ if(length >= 0) {

+ size_t inputlen = length;

+ size_t outputlen;

+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,

+ FALSE);

+ if(res)

+ return NULL;

+ if(olen)

+ *olen = curlx_uztosi(outputlen);

+ }

return str;

}

/* For operating systems/environments that use different malloc/free

systems for the app and for this library, we provide a free that uses

--

2.9.3