--- /dev/null
+From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH] CVE-2017-7407: fixed
+
+Bug: https://curl.haxx.se/docs/adv_20170403.html
+
+Reported-by: Brian Carpenter
+[baruch: remove tests]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Patch status: based on upstream suggested patch[1] that combines commits
+1890d59905414ab and 8e65877870c1.
+
+[1] https://curl.haxx.se/CVE-2017-7407.patch
+
+diff --git a/src/tool_writeout.c b/src/tool_writeout.c
+index 2fb77742a..5d92bd278 100644
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -3,11 +3,11 @@
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+ char *stringp = NULL;
+ long longinfo;
+ double doubleinfo;
+
+ while(ptr && *ptr) {
+- if('%' == *ptr) {
++ if('%' == *ptr && ptr[1]) {
+ if('%' == ptr[1]) {
+ /* an escaped %-letter */
+ fputc('%', stream);
+ ptr += 2;
+ }
+@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
+ fputc(ptr[1], stream);
+ ptr += 2;
+ }
+ }
+ }
+- else if('\\' == *ptr) {
++ else if('\\' == *ptr && ptr[1]) {
+ switch(ptr[1]) {
+ case 'r':
+ fputc('\r', stream);
+ break;
+ case 'n':
+-- 2.11.0
+
projects / buildroot.git / commitdiff