globbing: fix segfault when >9 globs were used

author Daniel Stenberg <daniel@haxx.se>

Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)
author Daniel Stenberg <daniel@haxx.se>
Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c

index 5e73f14..2821d00 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -64,7 +64,10 @@ static GlobCode glob_set(URLGlob *glob, char *pattern,
    pat->content.Set.ptr_s = 0;
    pat->content.Set.elements = NULL;
  
-  ++glob->size;
+  if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+    return GLOB_ERROR;
+  }
  
    while(!done) {
      switch (*pattern) {
@@ -181,7 +184,10 @@ static GlobCode glob_range(URLGlob *glob, char *pattern,
  
    pat = &glob->pattern[glob->size / 2];
    /* patterns 0,1,2,... correspond to size=1,3,5,... */
-  ++glob->size;
+  if(++glob->size > (GLOB_PATTERN_NUM*2)) {
+    snprintf(glob->errormsg, sizeof(glob->errormsg), "too many globs used\n");
+    return GLOB_ERROR;
+  }
  
    if(ISALPHA(*pattern)) {
      /* character range detected */
diff --git a/src/tool_urlglob.h b/src/tool_urlglob.h

index 9c37f15..9c08137 100644 (file)
--- a/src/tool_urlglob.h
+++ b/src/tool_urlglob.h
@@ -53,9 +53,12 @@ typedef struct {
    } content;
  } URLPattern;
  
+/* the total number of globs supported */
+#define GLOB_PATTERN_NUM 9
+
  typedef struct {
    char *literal[10];
-  URLPattern pattern[9];
+  URLPattern pattern[GLOB_PATTERN_NUM+1];
    size_t size;
    size_t urllen;
    char *glob_buffer;
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 7 Aug 2012 11:45:59 +0000 (13:45 +0200)
src/tool_urlglob.c		patch \| blob \| history
src/tool_urlglob.h		patch \| blob \| history