Commit 73b1a965 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

globbing: fix segfault when >9 globs were used 

Stupid lack of range checks caused the code to overwrite local variables
after glob number nine. Added checks now.

Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
parent 42e4c34f

src/tool_urlglob.c

+8 −2
Original line number Diff line number Diff line
@@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern, 
  pat->content.Set.ptr_s = 0;

  pat->content.Set.elements = NULL;



  ++glob->size;

  if(++glob->size > (GLOB_PATTERN_NUM*2)) {

    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");

    return GLOB_ERROR;

  }



  while(!done) {

    switch (*pattern) {
@@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern, 


  pat = &glob->pattern[glob->size / 2];

  /* patterns 0,1,2,... correspond to size=1,3,5,... */

  ++glob->size;

  if(++glob->size > (GLOB_PATTERN_NUM*2)) {

    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");

    return GLOB_ERROR;

  }



  if(ISALPHA(*pattern)) {

    /* character range detected */

src/tool_urlglob.h

+4 −1
Original line number Diff line number Diff line
@@ -53,9 +53,12 @@ typedef struct { 
  } content;

} URLPattern;



/* the total number of globs supported */

#define GLOB_PATTERN_NUM 9



typedef struct {

  char *literal[10];

  URLPattern pattern[9];

  URLPattern pattern[GLOB_PATTERN_NUM+1];

  size_t size;

  size_t urllen;

  char *glob_buffer;