Infinite loop in curl_fnmatch #2015

Closed
cmeister2 opened this Issue Oct 25, 2017 · 0 comments

Comments

Projects
None yet
2 participants
Contributor

cmeister2 commented Oct 25, 2017

I did this

This sample code hits an infinite loop in curl_fnmatch.c

#include <curl/curl.h>

int main(int argc, char *argv[])
{
  CURLcode ret;
  CURL *hnd;

  hnd = curl_easy_init();
  curl_easy_setopt(hnd, CURLOPT_URL, "ftp://test.rebex.net/[*\\s-'tl");
  curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
  curl_easy_setopt(hnd, CURLOPT_USERPWD, "demo:password");
  curl_easy_setopt(hnd, CURLOPT_WILDCARDMATCH, 1L);

  ret = curl_easy_perform(hnd);

  curl_easy_cleanup(hnd);
  hnd = NULL;

  return (int)ret;
}

This problem does not exist in the curl tool because this is rejected by tool_urlglob.c.

Discovered by OSS-Fuzz: https://oss-fuzz.com/v2/testcase-detail/4564121254100992

@bagder bagder added the FTP label Oct 25, 2017

bagder added a commit that referenced this issue Oct 25, 2017

curl_fnmatch: return error on illegal [] wildcard pattern
... instead of doing an infinite loop!

Added test 1162 to verify.

Reported-by: Max Dymond
Fixes #2015

@bagder bagder closed this in f0364f7 Oct 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment