Fix 'CVE-2018-16839'

Merge: curl/curl@f3a24d7916
2025-02-09 19:15:03 +01:00 · 2023-06-12 20:37:57 +02:00 · 2023-06-12 20:37:57 +02:00 · a022f81bc4
commit a022f81bc4
parent 1e4843fda3
1 changed files with 3 additions and 9 deletions
--- a/r5dev/thirdparty/curl/vauth/cleartext.c
+++ b/r5dev/thirdparty/curl/vauth/cleartext.c
@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
  ulen = strlen(userp);
  plen = strlen(passwdp);

-  /* Compute binary message length, checking for overflows. */
-  plainlen = 2 * ulen;
-  if(plainlen < ulen)
-    return CURLE_OUT_OF_MEMORY;
-  plainlen += plen;
-  if(plainlen < plen)
-    return CURLE_OUT_OF_MEMORY;
-  plainlen += 2;
-  if(plainlen < 2)
+  /* Compute binary message length. Check for overflows. */
+  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
    return CURLE_OUT_OF_MEMORY;
+  plainlen = 2 * ulen + plen + 2;

  plainauth = malloc(plainlen);
  if(!plainauth)