From 1f61db590755c16a1c5c3d2f2104f33aa6c9a077 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 1 Aug 2024 16:45:50 +0200
Subject: [PATCH] curl: allow 500MB data URL encode strings

Previously it would bail out of the generated data reached 8MB in
memory.

Reported-by: Antoine du Hamel
Fixes #14337
Closes #14340
---
 src/tool_getparam.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 4c9392cc64..b92a2038fe 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -846,6 +846,9 @@ static void cleanarg(argv_item_t str)
 #define cleanarg(x)
 #endif
 
+/* the maximum size we allow the dynbuf generated string */
+#define MAX_DATAURLENCODE (500*1024*1024)
+
 /* --data-urlencode */
 static ParameterError data_urlencode(struct GlobalConfig *global,
                                      char *nextarg,
@@ -921,15 +924,22 @@ static ParameterError data_urlencode(struct GlobalConfig *global,
       char *n;
       replace_url_encoded_space_by_plus(enc);
       if(nlen > 0) { /* only append '=' if we have a name */
-        n = aprintf("%.*s=%s", (int)nlen, nextarg, enc);
-        curl_free(enc);
-        if(!n)
+        struct curlx_dynbuf dyn;
+        curlx_dyn_init(&dyn, MAX_DATAURLENCODE);
+        if(curlx_dyn_addn(&dyn, nextarg, nlen) ||
+           curlx_dyn_addn(&dyn, "=", 1) ||
+           curlx_dyn_add(&dyn, enc)) {
+          curl_free(enc);
           return PARAM_NO_MEM;
+        }
+        curl_free(enc);
+        n = curlx_dyn_ptr(&dyn);
+        size = curlx_dyn_len(&dyn);
       }
-      else
+      else {
         n = enc;
-
-      size = strlen(n);
+        size = strlen(n);
+      }
       postdata = n;
     }
     else