curl/0017-curl-7.47.1-CVE-2016-8620.patch

From 899d4f898f2b1b2cc910ca994e23e2d55347c22d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Oct 2016 17:27:16 +0200
Subject: [PATCH 1/3] range: prevent negative end number in a glob range
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2016-8620

Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn

Upstream-commit: fbb5f1aa0326d485d5a7ac643b48481897ca667f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/tool_urlglob.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 6a4ff76..49bbe4b 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
         endp = NULL;
       else {
         pattern = endp+1;
+        while(*pattern && ISBLANK(*pattern))
+          pattern++;
+        if(!ISDIGIT(*pattern)) {
+          endp = NULL;
+          goto fail;
+        }
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
         if(errno || (*endp == ':')) {
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
       }
     }
 
+    fail:
     *posp += (pattern - *patternp);
 
     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) ||
-- 
2.7.4


From 2897ecbeaf174a4f665e4b7ff9aea7fdd85f3d80 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Oct 2016 18:23:22 +0200
Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output
 buffer

Upstream-commit: 269a88910436d730ac212f4dc01cbe6961338061
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/tool_urlglob.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 49bbe4b..3a3aba9 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -432,6 +432,7 @@ CURLcode glob_url(URLGlob** glob, char* url, unsigned long *urlnum,
   glob_buffer = malloc(strlen(url) + 1);
   if(!glob_buffer)
     return CURLE_OUT_OF_MEMORY;
+  glob_buffer[0]=0;
 
   glob_expand = calloc(1, sizeof(URLGlob));
   if(!glob_expand) {
@@ -549,20 +550,25 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
     switch(pat->type) {
     case UPTSet:
       if(pat->content.Set.elements) {
-        len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]);
         snprintf(buf, buflen, "%s",
                  pat->content.Set.elements[pat->content.Set.ptr_s]);
+        len = strlen(buf);
         buf += len;
         buflen -= len;
       }
       break;
     case UPTCharRange:
-      *buf++ = pat->content.CharRange.ptr_c;
+      if(buflen) {
+        *buf++ = pat->content.CharRange.ptr_c;
+        *buf = '\0';
+        buflen--;
+      }
       break;
     case UPTNumRange:
-      len = snprintf(buf, buflen, "%0*ld",
-                     pat->content.NumRange.padlength,
-                     pat->content.NumRange.ptr_n);
+      snprintf(buf, buflen, "%0*ld",
+               pat->content.NumRange.padlength,
+               pat->content.NumRange.ptr_n);
+      len = strlen(buf);
       buf += len;
       buflen -= len;
       break;
@@ -571,7 +577,6 @@ CURLcode glob_next_url(char **globbed, URLGlob *glob)
       return CURLE_FAILED_INIT;
     }
   }
-  *buf = '\0';
 
   *globbed = strdup(glob->glob_buffer);
   if(!*globbed)
-- 
2.7.4


From 46475c97a6970a644239c542bc6a2a653020c87b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 17:25:09 +0200
Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... which previously would lead to out of boundary reads.

Reported-by: Luật Nguyễn

Upstream-commit: ee4f76606cfa4ee068bf28edd37c8dae7e8db317
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/tool_urlglob.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 3a3aba9..3b17a68 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -188,32 +188,36 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
     /* character range detected */
     char min_c;
     char max_c;
+    char end_c;
     int step=1;
 
     pat->type = UPTCharRange;
 
-    rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
+    rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
 
-    if((rc == 2) && (pattern[3] == ':')) {
-      char *endp;
-      unsigned long lstep;
-      errno = 0;
-      lstep = strtoul(&pattern[4], &endp, 10);
-      if(errno || (*endp != ']'))
-        step = -1;
-      else {
-        pattern = endp+1;
-        step = (int)lstep;
-        if(step > (max_c - min_c))
+    if(rc == 3) {
+      if(end_c == ':') {
+        char *endp;
+        unsigned long lstep;
+        errno = 0;
+        lstep = strtoul(&pattern[4], &endp, 10);
+        if(errno || (*endp != ']'))
           step = -1;
+        else {
+          pattern = endp+1;
+          step = (int)lstep;
+          if(step > (max_c - min_c))
+            step = -1;
+        }
       }
+      else if(end_c != ']')
+        /* then this is wrong */
+        rc = 0;
     }
-    else
-      pattern += 4;
 
     *posp += (pattern - *patternp);
 
-    if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+    if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
        (step <= 0) )
       /* the pattern is not well-formed */
       return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
-- 
2.7.4