From: Daniel Stenberg Date: Tue, 26 Aug 2025 06:56:07 +0000 (+0200) Subject: tool_urlglob: add integer overflow protection X-Git-Tag: curl-8_16_0~86 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fef318553b971142aaea3fe42d927408d06472c4;p=thirdparty%2Fcurl.git tool_urlglob: add integer overflow protection It is most likely impossible to actually overflow, but this makes it certain. Closes #18398 --- diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index 028520373e..9647898755 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -124,17 +124,21 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp, /* add 1 to size since it will be incremented below */ if(multiply(amount, pat->c.set.size + 1)) return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT); - + done = TRUE; FALLTHROUGH(); case ',': if(pat->c.set.elem) { - char **new_arr = realloc(pat->c.set.elem, - (size_t)(pat->c.set.size + 1) * - sizeof(char *)); - if(!new_arr) + char **arr; + + if(pat->c.set.size >= (curl_off_t)(SIZE_T_MAX/(sizeof(char *)))) + return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT); + + arr = realloc(pat->c.set.elem, (size_t)(pat->c.set.size + 1) * + sizeof(char *)); + if(!arr) return globerror(glob, NULL, 0, CURLE_OUT_OF_MEMORY); - pat->c.set.elem = new_arr; + pat->c.set.elem = arr; } else pat->c.set.elem = malloc(sizeof(char *)); @@ -149,14 +153,9 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp, ++pat->c.set.size; curlx_dyn_reset(&glob->buf); - if(*pattern == '}') { - pattern++; /* pass the closing brace */ - done = TRUE; - continue; - } - ++pattern; - ++(*posp); + if(!done) + ++(*posp); break; case ']': /* illegal closing bracket */