| 123456789101112131415161718192021222324252627282930313233 |
- From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Tue, 1 Aug 2017 17:16:07 +0200
- Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
- range
- Added test 1289 to verify.
- CVE-2017-1000101
- Bug: https://curl.haxx.se/docs/adv_20170809A.html
- Reported-by: Brian Carpenter
- ---
- src/tool_urlglob.c | 5 ++++-
- tests/data/Makefile.inc | 2 +-
- tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++
- 3 files changed, 40 insertions(+), 2 deletions(-)
- create mode 100644 tests/data/test1289
- --- a/src/tool_urlglob.c
- +++ b/src/tool_urlglob.c
- @@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob
- }
- errno = 0;
- max_n = strtoul(pattern, &endp, 10);
- - if(errno || (*endp == ':')) {
- + if(errno)
- + /* overflow */
- + endp = NULL;
- + else if(*endp == ':') {
- pattern = endp+1;
- errno = 0;
- step_n = strtoul(pattern, &endp, 10);
|
