url: Added bounds checking to parse_login_details()

Added bounds checking when searching for the separator characters within
the login string as this string may not be NULL terminated (For example
it is the login part of a URL). We do this in preference to allocating a
new string to copy the login details into which could then be passed to
parse_login_details() for performance reasons.

diff --git a/lib/url.c b/lib/url.c
index bd07059bce3a88e81f9b676386050cc7d805725d..3563f08535fe51bc0f0416bcb8f399544e95fd86 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -4482,13 +4482,23 @@ static CURLcode parse_login_details(const char *login, const size_t len,
   size_t olen;
 
   /* Attempt to find the password separator */
-  if(passwdp)
+  if(passwdp) {
     psep = strchr(login, ':');
 
+    /* Within the constraint of the login string */
+    if(psep >= login + len)
+      psep = NULL;
+  }
+
   /* Attempt to find the options separator */
-  if(optionsp)
+  if(optionsp) {
     osep = strchr(login, ';');
 
+    /* Within the constraint of the login string */
+    if(osep >= login + len)
+      osep = NULL;
+  }
+
   /* Calculate the portion lengths */
   ulen = (psep ?
           (size_t)(osep && psep > osep ? osep - login : psep - login) :