On 10/8/2016 5:59 AM, Daniel Stenberg wrote:
>
> However, this means that a caller intending to supply a binary buffer
> and failing to explicitly check whether the buffer has a size equaling
> zero might in fact cause an out-of-bounds read. If this happens, it is
> also likely to translate into disclosure of the read data to an HTTP
> server. A cursory inspection of some code that uses curl_easy_escape()
> with a length argument shows that most cURL users fail to explicitly
> check for length zero. However, because the buffer normally contains a
> C string anyway, this shortcoming does not have much impact in practice.

It says clearly "If length is set to 0 (zero), curl_easy_escape uses
strlen() on the input string to find out the size." The burden is on the
caller to check, and I really don't think it's that big of one. I don't
see any harm in adding inline helpers like curl_easy_escape_string and
curl_easy_escape_binary, either.

inline
char *curl_easy_escape_string(CURL *curl, const char *string)
{
   return curl_easy_escape(curl, string, 0);
}

inline
char *curl_easy_escape_binary(CURL *curl, const char *binary, size_t size)
{
   if(!size)
     return (char *)calloc(1, 1);
   else if(size < (unsigned)(INT_MAX))
     return curl_easy_escape(curl, binary, (int)size);
   else
     return NULL;
}

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-08