summaryrefslogtreecommitdiff
path: root/lib/escape.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-10-04 18:56:45 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-31 08:46:35 +0100
commit53e71e47d6b81650d26ec33a58d0dca24c7ffb2c (patch)
treea5f0a1087187b889163113e83f081f8fec9d16d8 /lib/escape.c
parentc5be3d7267c725dbd093ff3a883e07ee8cf2a1d5 (diff)
downloadcurl-53e71e47d6b81650d26ec33a58d0dca24c7ffb2c.tar.gz
unescape: avoid integer overflow
CVE-2016-8622 Bug: https://curl.haxx.se/docs/adv_20161102H.html Reported-by: Cure53
Diffstat (limited to 'lib/escape.c')
-rw-r--r--lib/escape.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/escape.c b/lib/escape.c
index e61260d7c..66570076e 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -224,8 +224,14 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
FALSE);
if(res)
return NULL;
- if(olen)
- *olen = curlx_uztosi(outputlen);
+
+ if(olen) {
+ if(outputlen <= (size_t) INT_MAX)
+ *olen = curlx_uztosi(outputlen);
+ else
+ /* too large to return in an int, fail! */
+ Curl_safefree(str);
+ }
}
return str;
}