From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 23 Dec 2025 23:09:37 +0000 (+0100)
Subject: escape: add a length check in curl_easy_escape
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76e7d496b66dfd46df3f00c4d3e7c0f92e077f2f;p=thirdparty%2Fcurl.git

escape: add a length check in curl_easy_escape

Only accept up to SIZE_MAX/16 input bytes. To avoid overflows, mistakes
and abuse.

Follow-up to 9bfc7f923479235b2fdf0e

Reported-by: Daniel Santos

Closes #20086
---

diff --git a/docs/libcurl/curl_easy_escape.md b/docs/libcurl/curl_easy_escape.md
index 1480a75c59..262bf131a8 100644
--- a/docs/libcurl/curl_easy_escape.md
+++ b/docs/libcurl/curl_easy_escape.md
@@ -34,8 +34,7 @@ A-Z, 0-9, '-', '.', '_' or '~' are converted to their "URL escaped" version
 constrained by its type, the returned string may not be altered.
 
 If *length* is set to 0 (zero), curl_easy_escape(3) uses strlen() on the input
-*string* to find out the size. This function does not accept input strings
-longer than **CURL_MAX_INPUT_LENGTH** (8 MB).
+*string* to find out the size.
 
 You must curl_free(3) the returned string when you are done with it.
 
diff --git a/lib/escape.c b/lib/escape.c
index 2e38301d9c..24d4c4e42c 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -62,6 +62,9 @@ char *curl_easy_escape(CURL *data, const char *string, int inlength)
   if(!length)
     return curlx_strdup("");
 
+  if(length > SIZE_MAX/16)
+    return NULL;
+
   curlx_dyn_init(&d, length * 3 + 1);
 
   while(length--) {