Skip to content

Commit 192c4f7

Browse files
committed
Curl_urldecode: no peeking beyond end of input buffer
Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen
1 parent da0db49 commit 192c4f7

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

Diff for: lib/escape.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* | (__| |_| | _ <| |___
66
* \___|\___/|_| \_\_____|
77
*
8-
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
8+
* Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
99
*
1010
* This software is licensed as described in the file COPYING, which
1111
* you should have received as part of this distribution. The terms
@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
159159

160160
while(--alloc > 0) {
161161
in = *string;
162-
if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
162+
if(('%' == in) && (alloc > 2) &&
163+
ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
163164
/* this is two hexadecimal digits following a '%' */
164165
char hexstr[3];
165166
char *ptr;

0 commit comments

Comments
 (0)