summaryrefslogtreecommitdiff
path: root/src/tool_urlglob.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2013-08-16 11:52:59 +0200
committerDaniel Stenberg <daniel@haxx.se>2013-08-16 11:55:04 +0200
commitf15a88f2b25ee44d8c8d3bdcf2508fdf50f8b868 (patch)
treeb42a5187543301a88712f464eec1f440b36d4a42 /src/tool_urlglob.c
parent5ca96cb84410270e233c92bf1b2583cba40c3fad (diff)
downloadcurl-f15a88f2b25ee44d8c8d3bdcf2508fdf50f8b868.tar.gz
glob: error out on range overflow
The new multiply() function detects range value overflows. 32bit machines will overflow on a 32bit boundary while 64bit hosts support ranges up to the full 64 bit range. Added test 1236 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1267 Reported-by: Will Dietz
Diffstat (limited to 'src/tool_urlglob.c')
-rw-r--r--src/tool_urlglob.c34
1 files changed, 28 insertions, 6 deletions
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 0e454c19c..ac13d683d 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -62,6 +62,19 @@ static GlobCode glob_fixed(URLGlob *glob, unsigned long *amount)
return GLOB_OK;
}
+/* multiply
+ *
+ * Multiplies and checks for overflow.
+ */
+static int multiply(unsigned long *amount, long with)
+{
+ unsigned long sum = *amount * with;
+ if(sum/with != *amount)
+ return 1; /* didn't fit, bail out */
+ *amount = sum;
+ return 0;
+}
+
static GlobCode glob_set(URLGlob *glob, char **patternp,
size_t pos, unsigned long *amount,
int globindex)
@@ -102,8 +115,11 @@ static GlobCode glob_set(URLGlob *glob, char **patternp,
"no string within braces at pos %zu\n", pos);
return GLOB_ERROR;
}
- /* add 1 since it'll be incremented below */
- (*amount) *= (pat->content.Set.size+1);
+ /* add 1 to size since it'll be incremented below */
+ if(multiply(amount, pat->content.Set.size+1)) {
+ strcpy(glob->errormsg, "range overflow!\n");
+ return GLOB_ERROR;
+ }
/* fall-through */
case ',':
@@ -224,8 +240,11 @@ static GlobCode glob_range(URLGlob *glob, char **patternp,
pat->content.CharRange.ptr_c = pat->content.CharRange.min_c = min_c;
pat->content.CharRange.max_c = max_c;
- *amount *= (pat->content.CharRange.max_c -
- pat->content.CharRange.min_c + 1);
+ if(multiply(amount, (pat->content.CharRange.max_c -
+ pat->content.CharRange.min_c + 1))) {
+ strcpy(glob->errormsg, "range overflow!\n");
+ return GLOB_ERROR;
+ }
}
else if(ISDIGIT(*pattern)) {
/* numeric range detected */
@@ -288,8 +307,11 @@ static GlobCode glob_range(URLGlob *glob, char **patternp,
pat->content.NumRange.max_n = max_n;
pat->content.NumRange.step = step_n;
- *amount *= (pat->content.NumRange.max_n -
- pat->content.NumRange.min_n + 1);
+ if(multiply(amount, (pat->content.NumRange.max_n -
+ pat->content.NumRange.min_n + 1))) {
+ strcpy(glob->errormsg, "range overflow!\n");
+ return GLOB_ERROR;
+ }
}
else {
snprintf(glob->errormsg, sizeof(glob->errormsg),
View Lorry Controller Status