From 3ddae8ab2a70d594895bd3f844b79823310a3418 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 Nov 2020 16:24:13 +0100
Subject: curl_easy_escape: limit *output* string length to 3 * max input

... not the output string. As every input byte can be expanded to 3
output bytes, this could limit the input string to 2.66 MB instead of 8.

Reported-by: Marc Schlatter
---
 lib/escape.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/escape.c b/lib/escape.c
index 1ec698aa6..683b6fc4a 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -86,7 +86,7 @@ char *curl_easy_escape(struct Curl_easy *data, const char *string,
   if(inlength < 0)
     return NULL;
 
-  Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH);
+  Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3);
 
   length = (inlength?(size_t)inlength:strlen(string));
   if(!length)
-- 
cgit v1.2.1