diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-08-14 23:33:23 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-08-14 23:33:41 +0200 |
commit | ff50fe0348466cae1a9f9f759b362c03f7060c34 (patch) | |
tree | 6a5a6efbe7bd7b00e49982e09a5da8f8341de28c /lib/cookie.c | |
parent | b53b4e44241415c0a7ad857c72ec323109d2a7c0 (diff) | |
download | curl-ff50fe0348466cae1a9f9f759b362c03f7060c34.tar.gz |
strtoofft: reduce integer overflow risks globally
... make sure we bail out on overflows.
Reported-by: Brian Carpenter
Closes #1758
Diffstat (limited to 'lib/cookie.c')
-rw-r--r-- | lib/cookie.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 6b678aeb8..eba2536ef 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -593,14 +593,20 @@ Curl_cookie_add(struct Curl_easy *data, } while(semiptr); if(co->maxage) { - co->expires = - curlx_strtoofft((*co->maxage=='\"')? - &co->maxage[1]:&co->maxage[0], NULL, 10); - if(CURL_OFF_T_MAX - now < co->expires) - /* avoid overflow */ + CURLofft offt; + offt = curlx_strtoofft((*co->maxage=='\"')? + &co->maxage[1]:&co->maxage[0], NULL, 10, + &co->expires); + if(offt == CURL_OFFT_FLOW) + /* overflow, used max value */ co->expires = CURL_OFF_T_MAX; - else - co->expires += now; + else if(!offt) { + if(CURL_OFF_T_MAX - now < co->expires) + /* would overflow */ + co->expires = CURL_OFF_T_MAX; + else + co->expires += now; + } } else if(co->expirestr) { /* Note that if the date couldn't get parsed for whatever reason, @@ -753,7 +759,8 @@ Curl_cookie_add(struct Curl_easy *data, co->secure = strcasecompare(ptr, "TRUE")?TRUE:FALSE; break; case 4: - co->expires = curlx_strtoofft(ptr, NULL, 10); + if(curlx_strtoofft(ptr, NULL, 10, &co->expires)) + badcookie = TRUE; break; case 5: co->name = strdup(ptr); |