The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2018-07-31T21:00:00
Updated: 2024-08-06T02:27:40.993Z
Reserved: 2016-10-12T00:00:00
Link: CVE-2016-8622
Vulnrichment
No data.
NVD
Status : Modified
Published: 2018-07-31T21:29:00.317
Modified: 2024-11-21T02:59:41.960
Link: CVE-2016-8622
Redhat