current/SOURCES/CVE-2016-8620.patch

--- curl-7.40.0/src/tool_urlglob.c.0026 2016-11-03 12:57:04.479601646 +0200
+++ curl-7.40.0/src/tool_urlglob.c      2016-11-03 13:04:18.972196759 +0200
@@ -169,66 +169,70 @@
                            int globindex)
 {
   /* processes a range expression with the point behind the opening '['
      - char range: e.g. "a-z]", "B-Q]"
      - num range: e.g. "0-9]", "17-2000]"
      - num range with leading zeros: e.g. "001-999]"
      expression is checked for well-formedness and collected until the next ']'
   */
   URLPattern *pat;
   int rc;
   char *pattern = *patternp;
   char *c;
 
   pat = &glob->pattern[glob->size];
   pat->globindex = globindex;
 
   if(ISALPHA(*pattern)) {
     /* character range detected */
     char min_c;
     char max_c;
+    char end_c;
     int step=1;
 
     pat->type = UPTCharRange;
 
-    rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
+    rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
 
-    if((rc == 2) && (pattern[3] == ':')) {
-      char *endp;
-      unsigned long lstep;
-      errno = 0;
-      lstep = strtoul(&pattern[3], &endp, 10);
-      if(errno || (*endp != ']'))
-        step = -1;
-      else {
-        pattern = endp+1;
-        step = (int)lstep;
-        if(step > (max_c - min_c))
+    if(rc == 3) {
+      if(end_c == ':') {
+        char *endp;
+        unsigned long lstep;
+        errno = 0;
+        lstep = strtoul(&pattern[4], &endp, 10);
+        if(errno || (*endp != ']'))
           step = -1;
+        else {
+          pattern = endp+1;
+          step = (int)lstep;
+          if(step > (max_c - min_c))
+            step = -1;
+        }
       }
+      else if(end_c != ']')
+        /* then this is wrong */
+        rc = 0;
     }
-    else
-      pattern += 4;
 
     *posp += (pattern - *patternp);
 
-    if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
+    if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) ||
        (step < 0) )
       /* the pattern is not well-formed */
       return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
 
     /* if there was a ":[num]" thing, use that as step or else use 1 */
     pat->content.CharRange.step = step;
     pat->content.CharRange.ptr_c = pat->content.CharRange.min_c = min_c;
     pat->content.CharRange.max_c = max_c;
 
     if(multiply(amount, (pat->content.CharRange.max_c -
                          pat->content.CharRange.min_c + 1)))
       return GLOBERROR("range overflow", *posp, CURLE_URL_MALFORMAT);
   }
   else if(ISDIGIT(*pattern)) {
     /* numeric range detected */
     unsigned long min_n;
     unsigned long max_n = 0;
     unsigned long step_n = 0;
     char *endp;
 
@@ -263,40 +267,41 @@
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
         if(errno || (*endp == ':')) {
           pattern = endp+1;
           errno = 0;
           step_n = strtoul(pattern, &endp, 10);
           if(errno)
             /* over/underflow situation */
             endp = NULL;
         }
         else
           step_n = 1;
         if(endp && (*endp == ']')) {
           pattern= endp+1;
         }
         else
           endp = NULL;
       }
     }
 
+    fail:
     *posp += (pattern - *patternp);
 
     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)))
       /* the pattern is not well-formed */
       return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
 
     /* typecasting to ints are fine here since we make sure above that we
        are within 31 bits */
     pat->content.NumRange.ptr_n = pat->content.NumRange.min_n = min_n;
     pat->content.NumRange.max_n = max_n;
     pat->content.NumRange.step = step_n;
 
     if(multiply(amount, (pat->content.NumRange.max_n -
                          pat->content.NumRange.min_n + 1)))
       return GLOBERROR("range overflow", *posp, CURLE_URL_MALFORMAT);
   }
   else
     return GLOBERROR("bad range specification", *posp, CURLE_URL_MALFORMAT);
 
   *patternp = pattern;
1	--- curl-7.40.0/src/tool_urlglob.c.0026 2016-11-03 12:57:04.479601646 +0200
2	+++ curl-7.40.0/src/tool_urlglob.c 2016-11-03 13:04:18.972196759 +0200
3	@@ -169,66 +169,70 @@
4	int globindex)
5	{
6	/* processes a range expression with the point behind the opening '['
7	- char range: e.g. "a-z]", "B-Q]"
8	- num range: e.g. "0-9]", "17-2000]"
9	- num range with leading zeros: e.g. "001-999]"
10	expression is checked for well-formedness and collected until the next ']'
11	*/
12	URLPattern *pat;
13	int rc;
14	char pattern = patternp;
15	char *c;
16
17	pat = &glob->pattern[glob->size];
18	pat->globindex = globindex;
19
20	if(ISALPHA(*pattern)) {
21	/* character range detected */
22	char min_c;
23	char max_c;
24	+ char end_c;
25	int step=1;
26
27	pat->type = UPTCharRange;
28
29	- rc = sscanf(pattern, "%c-%c", &min_c, &max_c);
30	+ rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c);
31
32	- if((rc == 2) && (pattern[3] == ':')) {
33	- char *endp;
34	- unsigned long lstep;
35	- errno = 0;
36	- lstep = strtoul(&pattern[3], &endp, 10);
37	- if(errno \|\| (*endp != ']'))
38	- step = -1;
39	- else {
40	- pattern = endp+1;
41	- step = (int)lstep;
42	- if(step > (max_c - min_c))
43	+ if(rc == 3) {
44	+ if(end_c == ':') {
45	+ char *endp;
46	+ unsigned long lstep;
47	+ errno = 0;
48	+ lstep = strtoul(&pattern[4], &endp, 10);
49	+ if(errno \|\| (*endp != ']'))
50	step = -1;
51	+ else {
52	+ pattern = endp+1;
53	+ step = (int)lstep;
54	+ if(step > (max_c - min_c))
55	+ step = -1;
56	+ }
57	}
58	+ else if(end_c != ']')
59	+ /* then this is wrong */
60	+ rc = 0;
61	}
62	- else
63	- pattern += 4;
64
65	posp += (pattern - patternp);
66
67	- if((rc != 2) \|\| (min_c >= max_c) \|\| ((max_c - min_c) > ('z' - 'a')) \|\|
68	+ if((rc != 3) \|\| (min_c >= max_c) \|\| ((max_c - min_c) > ('z' - 'a')) \|\|
69	(step < 0) )
70	/* the pattern is not well-formed */
71	return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
72
73	/* if there was a ":[num]" thing, use that as step or else use 1 */
74	pat->content.CharRange.step = step;
75	pat->content.CharRange.ptr_c = pat->content.CharRange.min_c = min_c;
76	pat->content.CharRange.max_c = max_c;
77
78	if(multiply(amount, (pat->content.CharRange.max_c -
79	pat->content.CharRange.min_c + 1)))
80	return GLOBERROR("range overflow", *posp, CURLE_URL_MALFORMAT);
81	}
82	else if(ISDIGIT(*pattern)) {
83	/* numeric range detected */
84	unsigned long min_n;
85	unsigned long max_n = 0;
86	unsigned long step_n = 0;
87	char *endp;
88
89	@@ -263,40 +267,41 @@
90	errno = 0;
91	max_n = strtoul(pattern, &endp, 10);
92	if(errno \|\| (*endp == ':')) {
93	pattern = endp+1;
94	errno = 0;
95	step_n = strtoul(pattern, &endp, 10);
96	if(errno)
97	/* over/underflow situation */
98	endp = NULL;
99	}
100	else
101	step_n = 1;
102	if(endp && (*endp == ']')) {
103	pattern= endp+1;
104	}
105	else
106	endp = NULL;
107	}
108	}
109
110	+ fail:
111	posp += (pattern - patternp);
112
113	if(!endp \|\| (min_n > max_n) \|\| (step_n > (max_n - min_n)))
114	/* the pattern is not well-formed */
115	return GLOBERROR("bad range", *posp, CURLE_URL_MALFORMAT);
116
117	/* typecasting to ints are fine here since we make sure above that we
118	are within 31 bits */
119	pat->content.NumRange.ptr_n = pat->content.NumRange.min_n = min_n;
120	pat->content.NumRange.max_n = max_n;
121	pat->content.NumRange.step = step_n;
122
123	if(multiply(amount, (pat->content.NumRange.max_n -
124	pat->content.NumRange.min_n + 1)))
125	return GLOBERROR("range overflow", *posp, CURLE_URL_MALFORMAT);
126	}
127	else
128	return GLOBERROR("bad range specification", *posp, CURLE_URL_MALFORMAT);
129
130	*patternp = pattern;