fixup postfields use curl_off_t, and cap overly long string outputs

author: Daniel Stenberg <daniel@haxx.se> 2020-10-01 23:37:30 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2020-10-01 23:37:30 +0200
commit: 9618e3164c33afdfe193771601445d7c71ab6f71 (patch)
tree: 65bb148462bfb5a67b945eb6aaabd6f05b158c05
parent: da00d983b2933d81594ec12a7a10ff9fe5c83bfc (diff)
download: curl-9618e3164c33afdfe193771601445d7c71ab6f71.tar.gz
1 files changed, 25 insertions, 15 deletions
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index 0cf1a1da6..19d22c9ce 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -219,21 +219,26 @@ static const struct NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
 
 /* Escape string to C string syntax.  Return NULL if out of memory.
  * Is this correct for those wacky EBCDIC guys? */
-static char *c_escape(const char *str, size_t len)
+
+#define MAX_STRING_LENGTH_OUTPUT 2000
+#define ZERO_TERMINATED -1
+
+static char *c_escape(const char *str, curl_off_t len)
 {
   const char *s;
   unsigned char c;
   char *escaped, *e;
+  bool cutoff = FALSE;
 
-  if(len == CURL_ZERO_TERMINATED)
+  if(len == ZERO_TERMINATED)
     len = strlen(str);
 
-  /* Check for possible overflow. */
-  if(len > (~(size_t) 0) / 4)
-    return NULL;
+  if(len > MAX_STRING_LENGTH_OUTPUT)
+    /* cap ridiculously long strings */
+    len = MAX_STRING_LENGTH_OUTPUT;
 
   /* Allocate space based on worst-case */
-  escaped = malloc(4 * len + 1);
+  escaped = malloc(4 * len + 1 + cutoff * 3);
   if(!escaped)
     return NULL;
 
@@ -267,6 +272,11 @@ static char *c_escape(const char *str, size_t len)
     else
       *e++ = c;
   }
+  if(cutoff) {
+    *e++ = '.';
+    *e++ = '.';
+    *e++ = '.';
+  }
   *e = '\0';
   return escaped;
 }
@@ -405,7 +415,7 @@ static CURLcode libcurl_generate_slist(struct curl_slist *slist, int *slistno)
   CLEAN1("slist%d = NULL;", *slistno);
   for(; slist; slist = slist->next) {
     Curl_safefree(escaped);
-    escaped = c_escape(slist->data, CURL_ZERO_TERMINATED);
+    escaped = c_escape(slist->data, ZERO_TERMINATED);
     if(!escaped)
       return CURLE_OUT_OF_MEMORY;
     DATA3("slist%d = curl_slist_append(slist%d, \"%s\");",
@@ -456,7 +466,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl,
   case TOOLMIME_DATA:
 #ifdef CURL_DOES_CONVERSIONS
     /* Data will be set in ASCII, thus issue a comment with clear text. */
-    escaped = c_escape(part->data, CURL_ZERO_TERMINATED);
+    escaped = c_escape(part->data, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE1("/* \"%s\" */", escaped);
 
@@ -475,7 +485,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl,
 #endif
     if(!ret) {
       Curl_safefree(escaped);
-      escaped = c_escape(data, CURL_ZERO_TERMINATED);
+      escaped = c_escape(data, ZERO_TERMINATED);
       NULL_CHECK(escaped);
       CODE2("curl_mime_data(part%d, \"%s\", CURL_ZERO_TERMINATED);",
                             mimeno, escaped);
@@ -484,7 +494,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl,
 
   case TOOLMIME_FILE:
   case TOOLMIME_FILEDATA:
-    escaped = c_escape(part->data, CURL_ZERO_TERMINATED);
+    escaped = c_escape(part->data, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE2("curl_mime_filedata(part%d, \"%s\");", mimeno, escaped);
     if(part->kind == TOOLMIME_FILEDATA && !filename) {
@@ -509,28 +519,28 @@ static CURLcode libcurl_generate_mime_part(CURL *curl,
 
   if(!ret && part->encoder) {
     Curl_safefree(escaped);
-    escaped = c_escape(part->encoder, CURL_ZERO_TERMINATED);
+    escaped = c_escape(part->encoder, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE2("curl_mime_encoder(part%d, \"%s\");", mimeno, escaped);
   }
 
   if(!ret && filename) {
     Curl_safefree(escaped);
-    escaped = c_escape(filename, CURL_ZERO_TERMINATED);
+    escaped = c_escape(filename, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE2("curl_mime_filename(part%d, \"%s\");", mimeno, escaped);
   }
 
   if(!ret && part->name) {
     Curl_safefree(escaped);
-    escaped = c_escape(part->name, CURL_ZERO_TERMINATED);
+    escaped = c_escape(part->name, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE2("curl_mime_name(part%d, \"%s\");", mimeno, escaped);
   }
 
   if(!ret && part->type) {
     Curl_safefree(escaped);
-    escaped = c_escape(part->type, CURL_ZERO_TERMINATED);
+    escaped = c_escape(part->type, ZERO_TERMINATED);
     NULL_CHECK(escaped);
     CODE2("curl_mime_type(part%d, \"%s\");", mimeno, escaped);
   }
@@ -720,7 +730,7 @@ CURLcode tool_setopt(CURL *curl, bool str, struct GlobalConfig *global,
       REM2("%s set to a %s", name, value);
     else {
       if(escape) {
-        size_t len = CURL_ZERO_TERMINATED;
+        curl_off_t len = ZERO_TERMINATED;
         if(tag == CURLOPT_POSTFIELDS)
           len = config->postfieldsize;
         escaped = c_escape(value, len);
author	Daniel Stenberg <daniel@haxx.se>	2020-10-01 23:37:30 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2020-10-01 23:37:30 +0200
commit	9618e3164c33afdfe193771601445d7c71ab6f71 (patch)
tree	65bb148462bfb5a67b945eb6aaabd6f05b158c05
parent	da00d983b2933d81594ec12a7a10ff9fe5c83bfc (diff)
download	curl-9618e3164c33afdfe193771601445d7c71ab6f71.tar.gz