From: Ian Blanes <>
Date: Mon, 28 Mar 2022 07:39:09 +0000 (+0200)
Subject: curl: fix segmentation fault for empty output file names.
X-Git-Tag: curl-7_83_0~101
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9e5bd9ba194fbff878a5a2baff4a6a32cd50f347;p=thirdparty%2Fcurl.git

curl: fix segmentation fault for empty output file names.

Function glob_match_url set *result to NULL when called with filename =
"", producing an indirect NULL pointer dereference.

Closes #8606
---

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 7558f2003b..52a247d27a 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -2043,6 +2043,10 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
 
       /* fill in the outfile */
       if('o' == letter) {
+        if(!*nextarg) {
+          warnf(global, "output file name has no length\n");
+          return PARAM_BAD_USE;
+        }
         GetStr(&url->outfile, nextarg);
         url->flags &= ~GETOUT_USEREMOTE; /* switch off */
       }
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 2e576d0d0e..cc9fc9a57c 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1020,6 +1020,11 @@ static CURLcode single_transfer(struct GlobalConfig *global,
               warnf(global, "bad output glob!\n");
               break;
             }
+            if(!*per->outfile) {
+              warnf(global, "output glob produces empty string!\n");
+              result = CURLE_WRITE_ERROR;
+              break;
+            }
           }
 
           if(config->output_dir && *config->output_dir) {
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index df882b28a9..356288a43d 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -686,6 +686,9 @@ CURLcode glob_match_url(char **result, char *filename, struct URLGlob *glob)
       return CURLE_OUT_OF_MEMORY;
   }
 
+  if(curlx_dyn_addn(&dyn, "", 0))
+    return CURLE_OUT_OF_MEMORY;
+
 #if defined(MSDOS) || defined(WIN32)
   {
     char *sanitized;