From eb160abce0ac45a8e070d9fa995c61a416a58ddd Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 11 Mar 2017 10:59:34 +0100
Subject: [PATCH 1/2] tool_writeout: fixed a buffer read overrun on --write-out

If a % ended the statement, the string's trailing NUL would be skipped
and memory past the end of the buffer would be accessed and potentially
displayed as part of the --write-out output. Added tests 1440 and 1441
to check for this kind of condition.

Reported-by: Brian Carpenter

Upstream-commit: 1890d59905414ab84a35892b2e45833654aa5c13
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/tool_writeout.c     |  2 +-
 tests/data/Makefile.inc |  2 +-
 tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
 tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
 4 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test1440
 create mode 100644 tests/data/test1441

diff --git a/src/tool_writeout.c b/src/tool_writeout.c
index 2fb7774..7843182 100644
--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
   double doubleinfo;
 
   while(ptr && *ptr) {
-    if('%' == *ptr) {
+    if('%' == *ptr && ptr[1]) {
       if('%' == ptr[1]) {
         /* an escaped %-letter */
         fputc('%', stream);
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 8251ab9..2e70895 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
 test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
-test1436 test1437 test1438 test1439 \
+test1436 test1437 test1438 test1439 test1440 test1441 \
 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
diff --git a/tests/data/test1440 b/tests/data/test1440
new file mode 100644
index 0000000..7ed0c4d
--- /dev/null
+++ b/tests/data/test1440
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %{
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%{'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%{
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test1441 b/tests/data/test1441
new file mode 100644
index 0000000..6e253a6
--- /dev/null
+++ b/tests/data/test1441
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%
+</stdout>
+</verify>
+</testcase>
-- 
2.9.3


From 67bee1434a17065da7db3fc2915c494f289f46de Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 24 Mar 2017 10:14:21 +0100
Subject: [PATCH 2/2] curl: check for end of input in writeout backslash
 handling

Reported-by: Brian Carpenter

Added test 1442 to verify

Upstream-commit: 8e65877870c1fac920b65219adec720df810aab9
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/tool_writeout.c     |  4 ++--
 tests/data/Makefile.inc |  2 +-
 tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/test1442

diff --git a/src/tool_writeout.c b/src/tool_writeout.c
index 7843182..5d92bd2 100644
--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -341,7 +341,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
         }
       }
     }
-    else if('\\' == *ptr) {
+    else if('\\' == *ptr && ptr[1]) {
       switch(ptr[1]) {
       case 'r':
         fputc('\r', stream);
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 2e70895..267ff6a 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -151,7 +151,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
 test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
-test1436 test1437 test1438 test1439 test1440 test1441 \
+test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
diff --git a/tests/data/test1442 b/tests/data/test1442
new file mode 100644
index 0000000..255a4c9
--- /dev/null
+++ b/tests/data/test1442
@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+FILE
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing \
+</name>
+<command>
+file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
+</command>
+</client>
+
+# Verify data
+<verify>
+<errorcode>
+37
+</errorcode>
+<stdout nonewline="yes">
+\
+</stdout>
+</verify>
+</testcase>
-- 
2.9.3