range: reject char globs with missing end like '[L-]' (ee4f7660) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

src/tool_urlglob.c

+19 −15

Original line number	Original line	Diff line number	Diff line
	@@ -188,13 +188,15 @@ static CURLcode glob_range(URLGlob glob, char *patternp,
	/* character range detected */		/* character range detected */
	char min_c;		char min_c;
	char max_c;		char max_c;
			char end_c;
	int step=1;		int step=1;

	pat->type = UPTCharRange;		pat->type = UPTCharRange;

	rc = sscanf(pattern, "%c-%c", &min_c, &max_c);		rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);

	if((rc == 2) && (pattern[3] == ':')) {		if(rc == 3) {
			if(end_c == ':') {
	char *endp;		char *endp;
	unsigned long lstep;		unsigned long lstep;
	errno = 0;		errno = 0;
	@@ -208,12 +210,14 @@ static CURLcode glob_range(URLGlob glob, char *patternp,
	step = -1;		step = -1;
	}		}
	}		}
	else		else if(end_c != ']')
	pattern += 4;		/* then this is wrong */
			rc = 0;
			}

	posp += (pattern - patternp);		posp += (pattern - patternp);

	if((rc != 2) \|\| (min_c >= max_c) \|\| ((max_c - min_c) > ('z' - 'a')) \|\|		if((rc != 3) \|\| (min_c >= max_c) \|\| ((max_c - min_c) > ('z' - 'a')) \|\|
	(step <= 0) )		(step <= 0) )
	/* the pattern is not well-formed */		/* the pattern is not well-formed */
	return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);		return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);