CVE-2016-7167

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.50.3

Description The issue is caused by multiple integer overflows in the curl escape(), curl easy escape(), curl unescape(), and curl easy unescape() functions. These functions perform string URL percent escaping and unescaping, and they accept custom string length inputs in signed integer arguments. The provided string length arguments were not properly checked, which could lead to a heap-based buffer overflow when a string of length 0xffffffff is passed. This occurs because the functions attempt to allocate zero bytes of heap memory and then write gigabytes of data into it.

Recommendations For libcurl versions prior to 7.50.3, update to version 7.50.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the curl escape(), curl easy escape(), curl unescape(), and curl easy unescape() functions until a patch is available. Avoid passing large or unvalidated string lengths to these functions to minimize the risk of exploitation.