curl: allow 500MB data URL encode strings

Previously it would bail out of the generated data reached 8MB in memory. Reported-by: Antoine du Hamel Fixes #14337 Closes #14340
2024-08-01 16:45:50 +02:00 · 2024-08-01 16:45:50 +02:00 · 1f61db5907
commit 1f61db5907
parent 9bfc7f9234
1 changed files with 16 additions and 6 deletions
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -846,6 +846,9 @@ static void cleanarg(argv_item_t str)
 #define cleanarg(x)
 #endif

+/* the maximum size we allow the dynbuf generated string */
+#define MAX_DATAURLENCODE (500*1024*1024)
+
 /* --data-urlencode */
 static ParameterError data_urlencode(struct GlobalConfig *global,
                                     char *nextarg,
@ -921,15 +924,22 @@ static ParameterError data_urlencode(struct GlobalConfig *global,
      char *n;
      replace_url_encoded_space_by_plus(enc);
      if(nlen > 0) { /* only append '=' if we have a name */
-        n = aprintf("%.*s=%s", (int)nlen, nextarg, enc);
-        curl_free(enc);
-        if(!n)
+        struct curlx_dynbuf dyn;
+        curlx_dyn_init(&dyn, MAX_DATAURLENCODE);
+        if(curlx_dyn_addn(&dyn, nextarg, nlen) ||
+           curlx_dyn_addn(&dyn, "=", 1) ||
+           curlx_dyn_add(&dyn, enc)) {
+          curl_free(enc);
          return PARAM_NO_MEM;
+        }
+        curl_free(enc);
+        n = curlx_dyn_ptr(&dyn);
+        size = curlx_dyn_len(&dyn);
      }
-      else
+      else {
        n = enc;
-
-      size = strlen(n);
+        size = strlen(n);
+      }
      postdata = n;
    }
    else