tool_urlglob: fix off-by-one error in glob_parse()

kdudka · kdudka · commit 584d0121c353 · 2016-06-03T13:07:22.000+02:00
... causing SIGSEGV while parsing URL with too many globs. Minimal example: $ curl $(for i in $(seq 101); do printf '{a}'; done) Reported-by: Romain Coltel Bug: https://bugzilla.redhat.com/1340757
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
  o URL parser: allow URLs to use one, two or three slashes [6]
  o curl: fix -q [regression] [7]
  o openssl: Use correct buffer sizes for error messages [8]
+ o curl: fix SIGSEGV while parsing URL with too many globs [9]
 
 This release includes the following known bugs:
 
@@ -43,3 +44,4 @@ References to bug reports and discussions on issues:
  [6] = https://curl.haxx.se/bug/?i=791
  [7] = https://curl.haxx.se/bug/?i=842
  [8] = https://curl.haxx.se/bug/?i=844
+ [9] = https://bugzilla.redhat.com/1340757
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
@@ -401,7 +401,7 @@ static CURLcode glob_parse(URLGlob *glob, char *pattern,
       }
     }
 
-    if(++glob->size > GLOB_PATTERN_NUM)
+    if(++glob->size >= GLOB_PATTERN_NUM)
       return GLOBERROR("too many globs", pos, CURLE_URL_MALFORMAT);
   }
   return res;

Original file line number	Diff line number	Diff line change
`@@ -401,7 +401,7 @@ static CURLcode glob_parse(URLGlob glob, char pattern,`
`401`	`401`	`}`
`402`	`402`	`}`
`403`	`403`
`404`		`- if(++glob->size > GLOB_PATTERN_NUM)`
	`404`	`+ if(++glob->size >= GLOB_PATTERN_NUM)`
`405`	`405`	`return GLOBERROR("too many globs", pos, CURLE_URL_MALFORMAT);`
`406`	`406`	`}`
`407`	`407`	`return res;`