diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-09-13 23:00:50 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-09-14 07:49:43 +0200 |
commit | 01cf1308ee2e792c77bb1d2c9218c56a30fd40ae (patch) | |
tree | e9a734faa378ec8a392c08f68e6e2ff503f91dc5 /lib/escape.c | |
parent | 826a9ced2bed217155e34065ef4048931f327b1e (diff) | |
download | curl-01cf1308ee2e792c77bb1d2c9218c56a30fd40ae.tar.gz |
curl_easy_unescape: deny negative string lengths as input
CVE-2016-7167
Bug: https://curl.haxx.se/docs/adv_20160914.html
Diffstat (limited to 'lib/escape.c')
-rw-r--r-- | lib/escape.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/lib/escape.c b/lib/escape.c index 63edd84fa..e61260d7c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -217,14 +217,16 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, int length, int *olen) { char *str = NULL; - size_t inputlen = length; - size_t outputlen; - CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, - FALSE); - if(res) - return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + if(length >= 0) { + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + } return str; } |