From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Oct 2016 15:27:16 +0000 (+0200)
Subject: range: prevent negative end number in a glob range
X-Git-Tag: curl-7_51_0~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbb5f1aa0326d485d5a7ac643b48481897ca667f;p=thirdparty%2Fcurl.git

range: prevent negative end number in a glob range

CVE-2016-8620

Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
---

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index a357b8b561..64c75ba4f6 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
         endp = NULL;
       else {
         pattern = endp+1;
+        while(*pattern && ISBLANK(*pattern))
+          pattern++;
+        if(!ISDIGIT(*pattern)) {
+          endp = NULL;
+          goto fail;
+        }
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
         if(errno || (*endp == ':')) {
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
       }
     }
 
+    fail:
     *posp += (pattern - *patternp);
 
     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)