diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2016-10-04 18:56:45 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-31 08:46:35 +0100 |
| commit | 53e71e47d6b81650d26ec33a58d0dca24c7ffb2c (patch) | |
| tree | a5f0a1087187b889163113e83f081f8fec9d16d8 /lib/escape.c | |
| parent | c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5 (diff) | |
| download | curl-53e71e47d6b81650d26ec33a58d0dca24c7ffb2c.tar.gz | |
unescape: avoid integer overflow
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
Diffstat (limited to 'lib/escape.c')
| -rw-r--r-- | lib/escape.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/escape.c b/lib/escape.c index e61260d7c..66570076e 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -224,8 +224,14 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, FALSE); if(res) return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + + if(olen) { + if(outputlen <= (size_t) INT_MAX) + *olen = curlx_uztosi(outputlen); + else + /* too large to return in an int, fail! */ + Curl_safefree(str); + } } return str; } |