From: Steve Holme <steve_holme@hotmail.com>
Date: Fri, 19 Apr 2013 18:37:55 +0000 (+0100)
Subject: url: Added bounds checking to parse_login_details()
X-Git-Tag: curl-7_31_0~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49184c37233c2cf27b79ebcd29fb8a4f5fb2e1ed;p=thirdparty%2Fcurl.git

url: Added bounds checking to parse_login_details()

Added bounds checking when searching for the separator characters within
the login string as this string may not be NULL terminated (For example
it is the login part of a URL). We do this in preference to allocating a
new string to copy the login details into which could then be passed to
parse_login_details() for performance reasons.
---

diff --git a/lib/url.c b/lib/url.c
index bd07059bce..3563f08535 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4482,13 +4482,23 @@ static CURLcode parse_login_details(const char *login, const size_t len,
   size_t olen;
 
   /* Attempt to find the password separator */
-  if(passwdp)
+  if(passwdp) {
     psep = strchr(login, ':');
 
+    /* Within the constraint of the login string */
+    if(psep >= login + len)
+      psep = NULL;
+  }
+
   /* Attempt to find the options separator */
-  if(optionsp)
+  if(optionsp) {
     osep = strchr(login, ';');
 
+    /* Within the constraint of the login string */
+    if(osep >= login + len)
+      osep = NULL;
+  }
+
   /* Calculate the portion lengths */
   ulen = (psep ?
           (size_t)(osep && psep > osep ? osep - login : psep - login) :