From 7ae59838f0b9af600f3936485ad45de86bd3435f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 Nov 2020 16:24:13 +0100 Subject: [PATCH] curl_easy_escape: limit output string length to 3 * max input ... instead of the limiting it to just the max input size. As every input byte can be expanded to 3 output bytes, this could limit the input string to 2.66 MB instead of the intended 8 MB. Reported-by: Marc Schlatter Closes #6192 --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/escape.c b/lib/escape.c index 1ec698aa6d..683b6fc4a6 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -86,7 +86,7 @@ char *curl_easy_escape(struct Curl_easy *data, const char *string, if(inlength < 0) return NULL; - Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH); + Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3); length = (inlength?(size_t)inlength:strlen(string)); if(!length) -- 2.47.3