| From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001 |
| From: Changqing Li <changqing.li@windriver.com> |
| Date: Thu, 1 Nov 2018 15:27:35 +0800 |
| Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check |
| |
| CVE-2018-16839 |
| Reported-by: Harry Sintonen |
| Bug: https://curl.haxx.se/docs/CVE-2018-16839.html |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit |
| /f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified] |
| |
| CVE: CVE-2018-16839 |
| |
| Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| --- |
| lib/vauth/cleartext.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c |
| index 5d61ce6..1367143 100644 |
| --- a/lib/vauth/cleartext.c |
| +++ b/lib/vauth/cleartext.c |
| @@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, |
| plen = strlen(passwdp); |
| |
| /* Compute binary message length. Check for overflows. */ |
| - if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) |
| + if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) |
| return CURLE_OUT_OF_MEMORY; |
| plainlen = 2 * ulen + plen + 2; |
| |
| -- |
| 2.7.4 |
| |