From fbb5f1aa0326d485d5a7ac643b48481897ca667f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Oct 2016 17:27:16 +0200
Subject: [PATCH] range: prevent negative end number in a glob range

CVE: CVE-2016-8620

Upstream-Status: Backport

Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 src/tool_urlglob.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index a357b8b..64c75ba 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -257,6 +257,12 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
         endp = NULL;
       else {
         pattern = endp+1;
+        while(*pattern && ISBLANK(*pattern))
+          pattern++;
+        if(!ISDIGIT(*pattern)) {
+          endp = NULL;
+          goto fail;
+        }
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
         if(errno || (*endp == ':')) {
@@ -277,6 +283,7 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
       }
     }
 
+    fail:
     *posp += (pattern - *patternp);
 
     if(!endp || (min_n > max_n) || (step_n > (max_n - min_n)) || !step_n)
-- 
1.9.1