- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a

chunked-encoding trailer. http://curl.haxx.se/bug/view.cgi?id=2958474
2010-02-26 22:55:30 +00:00 · 2010-02-26 22:55:30 +00:00 · 03a57308b9
parent 507d58435a
commit 03a57308b9
3 changed files with 15 additions and 4 deletions
--- a/6
+++ b/6
@ -6,6 +6,12 @@

                                  Changelog

+Daniel Stenberg (26 Feb 2010)
+- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
+  chunked-encoding trailer.
+
+  http://curl.haxx.se/bug/view.cgi?id=2958474
+
 Daniel Fandrich (25 Feb 2010)
 - Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.

--- a/4
+++ b/4
@ -20,6 +20,7 @@ This release includes the following bugfixes:
 o SMTP: now waits for 250 after the DATA transfer
 o SMTP: use angle brackets in RCPT TO
 o curl --trace-time not using local time
+ o off-by-one in the chunked encoding trailer parser

 This release includes the following known bugs:

@ -28,6 +29,7 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:

- Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager
+ Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager,
+ Daniel Fandrich, Patrick Monnerat, Pat Ray

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/http_chunks.c
+++ b/lib/http_chunks.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -306,14 +306,17 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
      /* conn->trailer is assumed to be freed in url.c on a
         connection basis */
      if(conn->trlPos >= conn->trlMax) {
+        /* in this logic we always allocate one byte more than trlMax
+           contains, just because CHUNK_TRAILER_POSTCR will append two bytes
+           so we need to make sure we have room for an extra byte */
        char *ptr;
        if(conn->trlMax) {
          conn->trlMax *= 2;
-          ptr = realloc(conn->trailer,conn->trlMax);
+          ptr = realloc(conn->trailer, conn->trlMax + 1);
        }
        else {
          conn->trlMax=128;
-          ptr = malloc(conn->trlMax);
+          ptr = malloc(conn->trlMax + 1);
        }
        if(!ptr)
          return CHUNKE_OUT_OF_MEMORY;