1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Oct 2016 17:27:16 +0200
Subject: [PATCH 1/3] range: prevent negative end number in a glob range
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
Upstream-Status: Backport
https://curl.haxx.se/CVE-2016-8620.patch
CVE: CVE-2016-8620
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
---
src/tool_urlglob.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: curl-7.44.0/src/tool_urlglob.c
===================================================================
--- curl-7.44.0.orig/src/tool_urlglob.c
+++ curl-7.44.0/src/tool_urlglob.c
@@ -186,32 +186,36 @@ static CURLcode glob_range(URLGlob *glob
/* character range detected */
char min_c;
char max_c;
+ char end_c;
int step=1;
pat->type = UPTCharRange;
- rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
+ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
- if((rc == 2) && (pattern[3] == ':')) {
- char *endp;
- unsigned long lstep;
- errno = 0;
- lstep = strtoul(&pattern[4], &endp, 10);
- if(errno || (*endp != ']'))
- step = -1;
- else {
- pattern = endp+1;
- step = (int)lstep;
- if(step > (max_c - min_c))
+ if(rc == 3) {
+ if(end_c == ':') {
+ char *endp;
+ unsigned long lstep;
+ errno = 0;
+ lstep = strtoul(&pattern[4], &endp, 10);
+ if(errno || (*endp != ']'))
step = -1;
+ else {
+ pattern = endp+1;
+ step = (int)lstep;
+ if(step > (max_c - min_c))
+ step = -1;
+ }
}
+ else if(end_c != ']')
+ /* then this is wrong */
+ rc = 0;
}
- else
- pattern += 4;
*posp += (pattern - *patternp);
- if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+ if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
(step <= 0) )
/* the pattern is not well-formed */
return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
@@ -255,6 +259,12 @@ static CURLcode glob_range(URLGlob *glob
endp = NULL;
else {
pattern = endp+1;
+ while(*pattern && ISBLANK(*pattern))
+ pattern++;
+ if(!ISDIGIT(*pattern)) {
+ endp = NULL;
+ goto fail;
+ }
errno = 0;
max_n = strtoul(pattern, &endp, 10);
if(errno || (*endp == ':')) {
@@ -275,6 +285,7 @@ static CURLcode glob_range(URLGlob *glob
}
}
+ fail:
*posp += (pattern - *patternp);
if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
@@ -423,6 +434,7 @@ CURLcode glob_url(URLGlob** glob, char*
glob_buffer = malloc(strlen(url) + 1);
if(!glob_buffer)
return CURLE_OUT_OF_MEMORY;
+ glob_buffer[0]=0;
glob_expand = calloc(1, sizeof(URLGlob));
if(!glob_expand) {
@@ -540,20 +552,25 @@ CURLcode glob_next_url(char **globbed, U
switch(pat->type) {
case UPTSet:
if(pat->content.Set.elements) {
- len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
snprintf(buf, buflen, "%s",
pat->content.Set.elements[pat->content.Set.ptr_s]);
+ len = strlen(buf);
buf += len;
buflen -= len;
}
break;
case UPTCharRange:
- *buf++ = pat->content.CharRange.ptr_c;
+ if(buflen) {
+ *buf++ = pat->content.CharRange.ptr_c;
+ *buf = '\0';
+ buflen--;
+ }
break;
case UPTNumRange:
- len = snprintf(buf, buflen, "%0*ld",
- pat->content.NumRange.padlength,
- pat->content.NumRange.ptr_n);
+ snprintf(buf, buflen, "%0*ld",
+ pat->content.NumRange.padlength,
+ pat->content.NumRange.ptr_n);
+ len = strlen(buf);
buf += len;
buflen -= len;
break;
@@ -562,7 +579,6 @@ CURLcode glob_next_url(char **globbed, U
return CURLE_FAILED_INIT;
}
}
- *buf = '\0';
*globbed = strdup(glob->glob_buffer);
if(!*globbed)
|
