Update cURL to v8.19.0 to fix its security issue (CVE-2025-14819)

Fix notepad-plus-plus/notepad-plus-plus#17869

Author: donho

curl/.clang-tidy.yml

@@ -0,0 +1,48 @@
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# SPDX-License-Identifier: curl
+---
+# https://clang.llvm.org/extra/clang-tidy/
+
+# https://clang.llvm.org/extra/clang-tidy/checks/list.html
+Checks:
+  - clang-analyzer-*
+  - -clang-analyzer-optin.performance.Padding
+  - -clang-analyzer-security.ArrayBound  # due to false positives with clang-tidy v21.1.0
+  - -clang-analyzer-security.insecureAPI.bzero  # for FD_ZERO() (seen on macOS)
+  - -clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling
+  - -clang-diagnostic-nullability-extension
+  - bugprone-assert-side-effect
+  - bugprone-chained-comparison
+  - bugprone-dynamic-static-initializers
+  - bugprone-macro-parentheses
+  - bugprone-macro-repeated-side-effects
+  - bugprone-misplaced-operator-in-strlen-in-alloc
+  - bugprone-misplaced-pointer-arithmetic-in-alloc
+  - bugprone-not-null-terminated-result
+  - bugprone-posix-return
+  - bugprone-redundant-branch-condition
+  - bugprone-signed-char-misuse
+  - bugprone-suspicious-enum-usage
+  - bugprone-suspicious-memset-usage
+  - bugprone-suspicious-missing-comma
+  - bugprone-suspicious-realloc-usage
+  - bugprone-suspicious-semicolon
+  - misc-const-correctness
+  - misc-header-include-cycle
+  - portability-*
+  - readability-duplicate-include
+  - readability-math-missing-parentheses
+  - readability-named-parameter
+  - readability-redundant-control-flow
+  - readability-redundant-declaration
+  - readability-redundant-function-ptr-dereference
+  - readability-redundant-parentheses
+  - readability-redundant-preprocessor
+  - readability-suspicious-call-argument
+  - readability-uppercase-literal-suffix
+
+CheckOptions:
+  misc-header-include-cycle.IgnoredFilesList: 'curl/curl.h'
+
+HeaderFilterRegex: '.*'  # Default in v22.1.0+

curl/.editorconfig

@@ -0,0 +1,18 @@
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# SPDX-License-Identifier: curl
+
+root = true
+
+[*]
+charset = utf-8
+insert_final_newline = true
+indent_style = space
+trim_trailing_whitespace = true
+
+[*.{c,h}]
+indent_size = 2
+max_line_length = 79
+
+[*.{pl,pm}]
+indent_size = 4

curl/CHANGES.md

@@ -4,7 +4,7 @@ Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 -->
 
-In a release tarball, check the RELEASES-NOTES file for what was done in the
+In a release tarball, check the RELEASE-NOTES file for what was done in the
 most recent release. In a git check-out, that file mentions changes that have
 been done since the previous release.
 

curl/CMake/CMakeConfigurableFile.in

@@ -24,12 +24,12 @@
 option(CURL_HIDDEN_SYMBOLS "Hide libcurl internal symbols (=hide all symbols that are not officially external)" ON)
 mark_as_advanced(CURL_HIDDEN_SYMBOLS)
 
-if(WIN32 AND (ENABLE_DEBUG OR ENABLE_CURLDEBUG))
+if(WIN32 AND ENABLE_DEBUG)
   # We need to export internal debug functions,
   # e.g. curl_easy_perform_ev() or curl_dbg_*(),
   # so disable symbol hiding for debug builds and for memory tracking.
   set(CURL_HIDDEN_SYMBOLS OFF)
-elseif(DOS OR AMIGA OR MINGW32CE)
+elseif(DOS OR AMIGA)
   set(CURL_HIDDEN_SYMBOLS OFF)
 endif()
 

curl/CMake/CurlSymbolHiding.cmake

@@ -27,9 +27,9 @@
 #include <sys/types.h>
 #include <unistd.h>
 #include <fcntl.h>
-/* */
+
 #if defined(sun) || defined(__sun__) || \
-    defined(__SUNPRO_C) || defined(__SUNPRO_CC)
+  defined(__SUNPRO_C) || defined(__SUNPRO_CC)
 #  if defined(__SVR4) || defined(__srv4__)
 #    define PLATFORM_SOLARIS
 #  else
@@ -39,7 +39,7 @@
 #if (defined(_AIX) || defined(__xlC__)) && !defined(_AIX41)
 #  define PLATFORM_AIX_V3
 #endif
-/* */
+
 #if defined(PLATFORM_SUNOS4) || defined(PLATFORM_AIX_V3)
 #error "O_NONBLOCK does not work on this platform"
 #endif
@@ -87,7 +87,7 @@ int main(void)
 #elif defined(HAVE_GETHOSTBYNAME_R_5) || \
       defined(HAVE_GETHOSTBYNAME_R_5_REENTRANT)
   rc = gethostbyname_r(address, &h, buffer, 8192, &h_errnop);
-  (void)hp; /* not used for test */
+  (void)hp;
   (void)h_errnop;
 #elif defined(HAVE_GETHOSTBYNAME_R_6) || \
       defined(HAVE_GETHOSTBYNAME_R_6_REENTRANT)
@@ -119,16 +119,19 @@ int main(void)
 #include <stdarg.h>
 #include <string.h>
 #include <float.h>
-int main(void) { return 0; }
+int main(void)
+{
+  return 0;
+}
 #endif
 
 #ifdef HAVE_FILE_OFFSET_BITS
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
-   We cannot simply define LARGE_OFF_T to be 9223372036854775807,
+   We cannot define LARGE_OFF_T to be 9223372036854775807,
    since some C++ compilers masquerading as C compilers
    incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T (((off_t)1 << 62) - 1 + ((off_t)1 << 62))
 static int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 &&
                            LARGE_OFF_T % 2147483647 == 1)
                           ? 1 : -1];
@@ -272,7 +275,10 @@ int main(void)
 #include <string.h>
 #include <errno.h>
 
-static void check(char c) { (void)c; }
+static void check(char c)
+{
+  (void)c;
+}
 
 int main(void)
 {
@@ -289,7 +295,10 @@ int main(void)
 #include <errno.h>
 
 /* Float, because a pointer cannot be implicitly cast to float */
-static void check(float f) { (void)f; }
+static void check(float f)
+{
+  (void)f;
+}
 
 int main(void)
 {

curl/CMake/CurlTests.c

@@ -25,39 +25,47 @@
 #
 # Input variables:
 #
-# - `BROTLI_INCLUDE_DIR`:    The brotli include directory.
-# - `BROTLICOMMON_LIBRARY`:  Path to `brotlicommon` library.
-# - `BROTLIDEC_LIBRARY`:     Path to `brotlidec` library.
+# - `BROTLI_INCLUDE_DIR`:      Absolute path to brotli include directory.
+# - `BROTLICOMMON_LIBRARY`:    Absolute path to `brotlicommon` library.
+# - `BROTLIDEC_LIBRARY`:       Absolute path to `brotlidec` library.
+# - `BROTLI_USE_STATIC_LIBS`:  Configure for static brotli libraries.
 #
-# Result variables:
+# Defines:
 #
-# - `BROTLI_FOUND`:          System has brotli.
-# - `BROTLI_INCLUDE_DIRS`:   The brotli include directories.
-# - `BROTLI_LIBRARIES`:      The brotli library names.
-# - `BROTLI_LIBRARY_DIRS`:   The brotli library directories.
-# - `BROTLI_PC_REQUIRES`:    The brotli pkg-config packages.
-# - `BROTLI_CFLAGS`:         Required compiler flags.
-# - `BROTLI_VERSION`:        Version of brotli.
+# - `BROTLI_FOUND`:            System has brotli.
+# - `BROTLI_VERSION`:          Version of brotli.
+# - `CURL::brotli`:            brotli library target.
 
-set(BROTLI_PC_REQUIRES "libbrotlidec" "libbrotlicommon")  # order is significant: brotlidec then brotlicommon
+set(_brotli_pc_requires "libbrotlidec" "libbrotlicommon")  # order is significant: brotlidec then brotlicommon
 
 if(CURL_USE_PKGCONFIG AND
    NOT DEFINED BROTLI_INCLUDE_DIR AND
    NOT DEFINED BROTLICOMMON_LIBRARY AND
    NOT DEFINED BROTLIDEC_LIBRARY)
   find_package(PkgConfig QUIET)
-  pkg_check_modules(BROTLI ${BROTLI_PC_REQUIRES})
+  pkg_check_modules(_brotli ${_brotli_pc_requires})
 endif()
 
-if(BROTLI_FOUND)
+if(_brotli_FOUND)
   set(Brotli_FOUND TRUE)
-  set(BROTLI_VERSION "${BROTLI_libbrotlicommon_VERSION}")
-  string(REPLACE ";" " " BROTLI_CFLAGS "${BROTLI_CFLAGS}")
-  message(STATUS "Found Brotli (via pkg-config): ${BROTLI_INCLUDE_DIRS} (found version \"${BROTLI_VERSION}\")")
+  set(BROTLI_FOUND TRUE)
+  set(BROTLI_VERSION ${_brotli_libbrotlicommon_VERSION})
+  if(BROTLI_USE_STATIC_LIBS)
+    set(_brotli_CFLAGS       "${_brotli_STATIC_CFLAGS}")
+    set(_brotli_INCLUDE_DIRS "${_brotli_STATIC_INCLUDE_DIRS}")
+    set(_brotli_LIBRARY_DIRS "${_brotli_STATIC_LIBRARY_DIRS}")
+    set(_brotli_LIBRARIES    "${_brotli_STATIC_LIBRARIES}")
+  endif()
+  message(STATUS "Found Brotli (via pkg-config): ${_brotli_INCLUDE_DIRS} (found version \"${BROTLI_VERSION}\")")
 else()
   find_path(BROTLI_INCLUDE_DIR "brotli/decode.h")
-  find_library(BROTLICOMMON_LIBRARY NAMES "brotlicommon")
-  find_library(BROTLIDEC_LIBRARY NAMES "brotlidec")
+  if(BROTLI_USE_STATIC_LIBS)
+    find_library(BROTLICOMMON_LIBRARY NAMES "brotlicommon-static" "brotlicommon")
+    find_library(BROTLIDEC_LIBRARY NAMES "brotlidec-static" "brotlidec")
+  else()
+    find_library(BROTLICOMMON_LIBRARY NAMES "brotlicommon")
+    find_library(BROTLIDEC_LIBRARY NAMES "brotlidec")
+  endif()
 
   include(FindPackageHandleStandardArgs)
   find_package_handle_standard_args(Brotli
@@ -68,9 +76,25 @@ else()
   )
 
   if(BROTLI_FOUND)
-    set(BROTLI_INCLUDE_DIRS ${BROTLI_INCLUDE_DIR})
-    set(BROTLI_LIBRARIES ${BROTLIDEC_LIBRARY} ${BROTLICOMMON_LIBRARY})
+    set(_brotli_INCLUDE_DIRS ${BROTLI_INCLUDE_DIR})
+    set(_brotli_LIBRARIES ${BROTLIDEC_LIBRARY} ${BROTLICOMMON_LIBRARY})
   endif()
 
   mark_as_advanced(BROTLI_INCLUDE_DIR BROTLIDEC_LIBRARY BROTLICOMMON_LIBRARY)
 endif()
+
+if(BROTLI_FOUND)
+  if(CMAKE_VERSION VERSION_LESS 3.13)
+    link_directories(${_brotli_LIBRARY_DIRS})
+  endif()
+
+  if(NOT TARGET CURL::brotli)
+    add_library(CURL::brotli INTERFACE IMPORTED)
+    set_target_properties(CURL::brotli PROPERTIES
+      INTERFACE_LIBCURL_PC_MODULES "${_brotli_pc_requires}"
+      INTERFACE_COMPILE_OPTIONS "${_brotli_CFLAGS}"
+      INTERFACE_INCLUDE_DIRECTORIES "${_brotli_INCLUDE_DIRS}"
+      INTERFACE_LINK_DIRECTORIES "${_brotli_LIBRARY_DIRS}"
+      INTERFACE_LINK_LIBRARIES "${_brotli_LIBRARIES}")
+  endif()
+endif()

curl/CMake/FindBrotli.cmake

@@ -25,35 +25,44 @@
 #
 # Input variables:
 #
-# - `CARES_INCLUDE_DIR`:   The c-ares include directory.
-# - `CARES_LIBRARY`:       Path to `cares` library.
+# - `CARES_INCLUDE_DIR`:      Absolute path to c-ares include directory.
+# - `CARES_LIBRARY`:          Absolute path to `cares` library.
+# - `CARES_USE_STATIC_LIBS`:  Configure for static c-ares libraries.
 #
-# Result variables:
+# Defines:
 #
-# - `CARES_FOUND`:         System has c-ares.
-# - `CARES_INCLUDE_DIRS`:  The c-ares include directories.
-# - `CARES_LIBRARIES`:     The c-ares library names.
-# - `CARES_LIBRARY_DIRS`:  The c-ares library directories.
-# - `CARES_PC_REQUIRES`:   The c-ares pkg-config packages.
-# - `CARES_CFLAGS`:        Required compiler flags.
-# - `CARES_VERSION`:       Version of c-ares.
+# - `CARES_FOUND`:            System has c-ares.
+# - `CARES_VERSION`:          Version of c-ares.
+# - `CURL::cares`:            c-ares library target.
 
-set(CARES_PC_REQUIRES "libcares")
+set(_cares_pc_requires "libcares")
 
 if(CURL_USE_PKGCONFIG AND
    NOT DEFINED CARES_INCLUDE_DIR AND
    NOT DEFINED CARES_LIBRARY)
   find_package(PkgConfig QUIET)
-  pkg_check_modules(CARES ${CARES_PC_REQUIRES})
+  pkg_check_modules(_cares ${_cares_pc_requires})
 endif()
 
-if(CARES_FOUND)
+if(_cares_FOUND)
   set(Cares_FOUND TRUE)
-  string(REPLACE ";" " " CARES_CFLAGS "${CARES_CFLAGS}")
-  message(STATUS "Found Cares (via pkg-config): ${CARES_INCLUDE_DIRS} (found version \"${CARES_VERSION}\")")
+  set(CARES_FOUND TRUE)
+  set(CARES_VERSION ${_cares_VERSION})
+  if(CARES_USE_STATIC_LIBS)
+    set(_cares_CFLAGS       "${_cares_STATIC_CFLAGS}")
+    set(_cares_INCLUDE_DIRS "${_cares_STATIC_INCLUDE_DIRS}")
+    set(_cares_LIBRARY_DIRS "${_cares_STATIC_LIBRARY_DIRS}")
+    set(_cares_LIBRARIES    "${_cares_STATIC_LIBRARIES}")
+  endif()
+  message(STATUS "Found Cares (via pkg-config): ${_cares_INCLUDE_DIRS} (found version \"${CARES_VERSION}\")")
 else()
   find_path(CARES_INCLUDE_DIR NAMES "ares.h")
-  find_library(CARES_LIBRARY NAMES ${CARES_NAMES} "cares")
+  if(CARES_USE_STATIC_LIBS)
+    set(_cares_CFLAGS "-DCARES_STATICLIB")
+    find_library(CARES_LIBRARY NAMES ${CARES_NAMES} "cares_static" "cares")
+  else()
+    find_library(CARES_LIBRARY NAMES ${CARES_NAMES} "cares")
+  endif()
 
   unset(CARES_VERSION CACHE)
   if(CARES_INCLUDE_DIR AND EXISTS "${CARES_INCLUDE_DIR}/ares_version.h")
@@ -85,13 +94,29 @@ else()
   )
 
   if(CARES_FOUND)
-    set(CARES_INCLUDE_DIRS ${CARES_INCLUDE_DIR})
-    set(CARES_LIBRARIES    ${CARES_LIBRARY})
+    set(_cares_INCLUDE_DIRS ${CARES_INCLUDE_DIR})
+    set(_cares_LIBRARIES    ${CARES_LIBRARY})
   endif()
 
   mark_as_advanced(CARES_INCLUDE_DIR CARES_LIBRARY)
 endif()
 
-if(CARES_FOUND AND WIN32)
-  list(APPEND CARES_LIBRARIES "iphlpapi")  # for if_indextoname and others
+if(CARES_FOUND)
+  if(WIN32)
+    list(APPEND _cares_LIBRARIES "iphlpapi")  # for if_indextoname and others
+  endif()
+
+  if(CMAKE_VERSION VERSION_LESS 3.13)
+    link_directories(${_cares_LIBRARY_DIRS})
+  endif()
+
+  if(NOT TARGET CURL::cares)
+    add_library(CURL::cares INTERFACE IMPORTED)
+    set_target_properties(CURL::cares PROPERTIES
+      INTERFACE_LIBCURL_PC_MODULES "${_cares_pc_requires}"
+      INTERFACE_COMPILE_OPTIONS "${_cares_CFLAGS}"
+      INTERFACE_INCLUDE_DIRECTORIES "${_cares_INCLUDE_DIRS}"
+      INTERFACE_LINK_DIRECTORIES "${_cares_LIBRARY_DIRS}"
+      INTERFACE_LINK_LIBRARIES "${_cares_LIBRARIES}")
+  endif()
 endif()