From b8f34f331c8b8f239db0653b73a3dec27724cb4a Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 2 Nov 2016 17:24:49 +0100
Subject: [PATCH] Resolves: CVE-2016-8620 - fix glob parser write/read out of
 bounds

---
 0017-curl-7.47.1-CVE-2016-8620.patch | 192 +++++++++++++++++++++++++++
 curl.spec                            |   5 +
 2 files changed, 197 insertions(+)
 create mode 100644 0017-curl-7.47.1-CVE-2016-8620.patch

diff --git a/0017-curl-7.47.1-CVE-2016-8620.patch b/0017-curl-7.47.1-CVE-2016-8620.patch
new file mode 100644
index 0000000..3b9edff
--- /dev/null
+++ b/0017-curl-7.47.1-CVE-2016-8620.patch
@@ -0,0 +1,192 @@
+From 899d4f898f2b1b2cc910ca994e23e2d55347c22d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 3 Oct 2016 17:27:16 +0200
+Subject: [PATCH 1/3] range: prevent negative end number in a glob range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-8620
+
+Bug: https://curl.haxx.se/docs/adv_20161102F.html
+Reported-by: Luật Nguyễn
+
+Upstream-commit: fbb5f1aa0326d485d5a7ac643b48481897ca667f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_urlglob.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index 6a4ff76..49bbe4b 100644
+--- a/src/tool_urlglob.c
++++ b/src/tool_urlglob.c
+@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+         endp = NULL;
+       else {
+         pattern = endp+1;
++        while(*pattern && ISBLANK(*pattern))
++          pattern++;
++        if(!ISDIGIT(*pattern)) {
++          endp = NULL;
++          goto fail;
++        }
+         errno = 0;
+         max_n = strtoul(pattern, &endp, 10);
+         if(errno || (*endp == ':')) {
+@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+       }
+     }
+ 
++    fail:
+     *posp += (pattern - *patternp);
+ 
+     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
+-- 
+2.7.4
+
+
+From 2897ecbeaf174a4f665e4b7ff9aea7fdd85f3d80 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 3 Oct 2016 18:23:22 +0200
+Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output
+ buffer
+
+Upstream-commit: 269a88910436d730ac212f4dc01cbe6961338061
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_urlglob.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index 49bbe4b..3a3aba9 100644
+--- a/src/tool_urlglob.c
++++ b/src/tool_urlglob.c
+@@ -432,6 +432,7 @@ CURLcode glob_url(URLGlob** glob, char* url, unsigned long *urlnum,
+   glob_buffer = malloc(strlen(url) + 1);
+   if(!glob_buffer)
+     return CURLE_OUT_OF_MEMORY;
++  glob_buffer[0]=0;
+ 
+   glob_expand = calloc(1, sizeof(URLGlob));
+   if(!glob_expand) {
+@@ -549,20 +550,25 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
+     switch(pat->type) {
+     case UPTSet:
+       if(pat->content.Set.elements) {
+-        len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
+         snprintf(buf, buflen, "%s",
+                  pat->content.Set.elements[pat->content.Set.ptr_s]);
++        len = strlen(buf);
+         buf += len;
+         buflen -= len;
+       }
+       break;
+     case UPTCharRange:
+-      *buf++ = pat->content.CharRange.ptr_c;
++      if(buflen) {
++        *buf++ = pat->content.CharRange.ptr_c;
++        *buf = '\0';
++        buflen--;
++      }
+       break;
+     case UPTNumRange:
+-      len = snprintf(buf, buflen, "%0*ld",
+-                     pat->content.NumRange.padlength,
+-                     pat->content.NumRange.ptr_n);
++      snprintf(buf, buflen, "%0*ld",
++               pat->content.NumRange.padlength,
++               pat->content.NumRange.ptr_n);
++      len = strlen(buf);
+       buf += len;
+       buflen -= len;
+       break;
+@@ -571,7 +577,6 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
+       return CURLE_FAILED_INIT;
+     }
+   }
+-  *buf = '\0';
+ 
+   *globbed = strdup(glob->glob_buffer);
+   if(!*globbed)
+-- 
+2.7.4
+
+
+From 46475c97a6970a644239c542bc6a2a653020c87b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2016 17:25:09 +0200
+Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... which previously would lead to out of boundary reads.
+
+Reported-by: Luật Nguyễn
+
+Upstream-commit: ee4f76606cfa4ee068bf28edd37c8dae7e8db317
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_urlglob.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
+index 3a3aba9..3b17a68 100644
+--- a/src/tool_urlglob.c
++++ b/src/tool_urlglob.c
+@@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
+     /* character range detected */
+     char min_c;
+     char max_c;
++    char end_c;
+     int step=1;
+ 
+     pat->type = UPTCharRange;
+ 
+-    rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
++    rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
+ 
+-    if((rc == 2) && (pattern[3] == ':')) {
+-      char *endp;
+-      unsigned long lstep;
+-      errno = 0;
+-      lstep = strtoul(&pattern[4], &endp, 10);
+-      if(errno || (*endp != ']'))
+-        step = -1;
+-      else {
+-        pattern = endp+1;
+-        step = (int)lstep;
+-        if(step > (max_c - min_c))
++    if(rc == 3) {
++      if(end_c == ':') {
++        char *endp;
++        unsigned long lstep;
++        errno = 0;
++        lstep = strtoul(&pattern[4], &endp, 10);
++        if(errno || (*endp != ']'))
+           step = -1;
++        else {
++          pattern = endp+1;
++          step = (int)lstep;
++          if(step > (max_c - min_c))
++            step = -1;
++        }
+       }
++      else if(end_c != ']')
++        /* then this is wrong */
++        rc = 0;
+     }
+-    else
+-      pattern += 4;
+ 
+     *posp += (pattern - *patternp);
+ 
+-    if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
++    if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+        (step <= 0) )
+       /* the pattern is not well-formed */
+       return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index e4a9f70..71b9252 100644
--- a/curl.spec
+++ b/curl.spec
@@ -40,6 +40,9 @@ Patch15:  0015-curl-7.47.1-CVE-2016-8622.patch
 # fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
 Patch16:  0016-curl-7.47.1-CVE-2016-8621.patch
 
+# fix glob parser write/read out of bounds (CVE-2016-8620)
+Patch17:  0017-curl-7.47.1-CVE-2016-8620.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -164,6 +167,7 @@ documentation of the library, too.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -280,6 +284,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- fix glob parser write/read out of bounds (CVE-2016-8620)
 - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
 - fix URL unescape heap overflow via integer truncation (CVE-2016-8622)
 - fix use-after-free via shared cookies (CVE-2016-8623)