I recently discovered a slew of bugs in curl [1], which occur in all versions I have access to, including latest release at time of writing (7.32.0) and goes back to at least 7.19.7.

One of the bugs can be used to crash curl or systems using curl via exec (not libcurl), the others cause strange or incorrect behavior.

The bugs in question are:

• crasher [2] due to bad error handling
• sscanf [3]-based parsing overflow
• input validation [4] bug on the ”step” portion of a range glob
• URL count overflow [5] bug triggered by globbing for a ridiculous number of URL’s

These have all been fixed now, first as part of a general globbing overhaul [6] commit, followed by a specific URL overflow checking [7] fix.

See the bug reports for details on the errors and example invocations, hopefully a release fixing these issues is made soon.

These errors were encountered during my research on integer overflows, and I’m glad the developer fixed them so quickly! Hopefully these fixes will reach everyone in the form of a new release soon :).