tool_urlglob: fix off-by-one error in glob_parse()

... causing SIGSEGV while parsing URL with too many globs.
Minimal example:

$ curl $(for i in $(seq 101); do printf '{a}'; done)

Reported-by: Romain Coltel
Bug: https://bugzilla.redhat.com/1340757

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6cdd0e7252258bb634c15e31cdb21b0e8ec6fef7..e20319c2ae9ac7094ad2b7d04f67edb9c46d1745 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
  o URL parser: allow URLs to use one, two or three slashes [6]
  o curl: fix -q [regression] [7]
  o openssl: Use correct buffer sizes for error messages [8]
+ o curl: fix SIGSEGV while parsing URL with too many globs [9]
 
 This release includes the following known bugs:
 
@@ -43,3 +44,4 @@ References to bug reports and discussions on issues:
  [6] = https://curl.haxx.se/bug/?i=791
  [7] = https://curl.haxx.se/bug/?i=842
  [8] = https://curl.haxx.se/bug/?i=844
+ [9] = https://bugzilla.redhat.com/1340757

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 70d17fed1145236a5c007817cd5fe8b3c078fe9f..a357b8b5619c1b6ece92d2b08c7aadafb5fbeee8 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -401,7 +401,7 @@ static CURLcode glob_parse(URLGlob *glob, char *pattern,
       }
     }
 
-    if(++glob->size > GLOB_PATTERN_NUM)
+    if(++glob->size >= GLOB_PATTERN_NUM)
       return GLOBERROR("too many globs", pos, CURLE_URL_MALFORMAT);
   }
   return res;