curl: fix segmentation fault for empty output file names.

Function glob_match_url set *result to NULL when called with filename =
"", producing an indirect NULL pointer dereference.

Closes #8606

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 7558f2003b53286f0652b2be942a8e390d347518..52a247d27aa5bb70e4d7d6e4e5ee2064190ad9ef 100644 (file)
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -2043,6 +2043,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
 
       /* fill in the outfile */
       if('o' == letter) {
+        if(!*nextarg) {
+          warnf(global, "output file name has no length\n");
+          return PARAM_BAD_USE;
+        }
         GetStr(&url->outfile, nextarg);
         url->flags &= ~GETOUT_USEREMOTE; /* switch off */
       }

diff --git a/src/tool_operate.c b/src/tool_operate.c
index 2e576d0d0e5cce910eddc6fcabb226f325bec767..cc9fc9a57c9e881a814bbcfed34b24ddd2a22869 100644 (file)
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1020,6 +1020,11 @@ static CURLcode single_transfer(struct GlobalConfig *global,
               warnf(global, "bad output glob!\n");
               break;
             }
+            if(!*per->outfile) {
+              warnf(global, "output glob produces empty string!\n");
+              result = CURLE_WRITE_ERROR;
+              break;
+            }
           }
 
           if(config->output_dir && *config->output_dir) {

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index df882b28a976b1a8429f1a1c6d16a48143104975..356288a43dc257d6e1e434b1310b901365667b88 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -686,6 +686,9 @@ CURLcode glob_match_url(char **result, char *filename, struct URLGlob *glob)
       return CURLE_OUT_OF_MEMORY;
   }
 
+  if(curlx_dyn_addn(&dyn, "", 0))
+    return CURLE_OUT_OF_MEMORY;
+
 #if defined(MSDOS) || defined(WIN32)
   {
     char *sanitized;