curl is at curl.se / Bugs / #965 Crash when globbing incorrect regex

curl is at curl.haxx.se

#965 Crash when globbing incorrect regex

Status: closed-fixed

Owner: Daniel Stenberg

Labels: client module (79)

Priority: 5

Updated: 2013-06-21

Created: 2010-10-08

Creator: Vlad Ureche

Private: No

When using the curly braces regex, if the second set of curly braces is not closed, curl segfaults. This does not happen when bash does the globbing. (see note1)

vlad@dslabpc34.epfl.ch:~/Desktop$ curl 'http://site.{one,two,three}.com{'
Segmentation fault (core dumped)

gdb stacktrace:
vlad@dslabpc34.epfl.ch:~/Desktop/curl-crash/curl-7.21.1$ gdb
GNU gdb (GDB) 7.1-ubuntu
[...]
(gdb) file src/.libs/curl
Reading symbols from /home/vlad/Desktop/curl-crash/curl-7.21.1/src/.libs/curl...done.
(gdb) run {}{
Starting program: /home/vlad/Desktop/curl-crash/curl-7.21.1/src/.libs/curl {}{
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
31 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
in ../sysdeps/x86_64/multiarch/../strlen.S
(gdb) bt
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
#1 0x000000000040ef8d in glob_next_url (glob=0x64d000) at urlglob.c:441
#2 0x000000000040d704 in operate (config=0x7fffffffdf20, argc=2, argv=0x7fffffffe358) at main.c:4779
#3 0x000000000040db04 in main (argc=2, argv=0x7fffffffe358) at main.c:5745

curl -V
curl 7.21.1 (x86_64-unknown-linux-gnu) libcurl/7.21.1 zlib/1.2.3.3
Protocols: dict file ftp http imap pop3 rtsp smtp telnet tftp
Features: IPv6 Largefile libz
and others (default curl package in 64-bit Ubuntu 10.04 and 32-bit Ubuntu 10.10 Release Candidate also crash)

Note1:
If you indicate the URL without the quotes, bash will do the globbing and curl will not crash:
vlad@dslabpc34.epfl.ch:~/Desktop$ curl http://site.\{one,two,three}.com{
but this will crash:
vlad@dslabpc34.epfl.ch:~/Desktop$ curl 'http://site.{one,two,three}.com{'

Note2:
The second curly brace doesn't necessarily have to be the last character in the line:
vlad@dslabpc34.epfl.ch:~/Desktop/curl-crash/curl-7.21.1$ curl '{}{http://'
Segmentation fault (core dumped)

Discussion

Daniel Stenberg - 2010-10-08

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2010-10-08

Thanks for the report, this problem is now fixed in the git repository.

To try it out, you either checkout/update your git clone: http://curl.haxx.se/source.html

or you try tomorrow's daily snapshot: http://curl.haxx.se/snapshots/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vlad Ureche - 2010-10-09

Thank you for the fix. By the way, the bug was found automatically by a research tool we're building here in the Dependable Systems Lab at EPFL.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vlad Ureche - 2010-10-09

Thanks for the report, this problem is now fixed in the git repository.

To try it out, you either checkout/update your git clone: http://curl.haxx.se/source.html

or you try tomorrow's daily snapshot: http://curl.haxx.se/snapshots/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vlad Ureche - 2010-10-09

status: open-fixed --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Crash when globbing incorrect regex

curl is at curl.haxx.se

Searches

Help

#965 Crash when globbing incorrect regex

Discussion