From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 Nov 2020 15:24:13 +0000 (+0100)
Subject: curl_easy_escape: limit output string length to 3 * max input
X-Git-Tag: curl-7_74_0~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ae59838f0b9af600f3936485ad45de86bd3435f;p=thirdparty%2Fcurl.git

curl_easy_escape: limit output string length to 3 * max input

... instead of the limiting it to just the max input size. As every
input byte can be expanded to 3 output bytes, this could limit the input
string to 2.66 MB instead of the intended 8 MB.

Reported-by: Marc Schlatter
Closes #6192
---

diff --git a/lib/escape.c b/lib/escape.c
index 1ec698aa6d..683b6fc4a6 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -86,7 +86,7 @@ char *curl_easy_escape(struct Curl_easy *data, const char *string,
   if(inlength < 0)
     return NULL;
 
-  Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH);
+  Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3);
 
   length = (inlength?(size_t)inlength:strlen(string));
   if(!length)