From 738b0ba09eb0b9e662dea3c436a88d505195f5e4 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 7 Dec 2015 02:43:24 -0500 Subject: [PATCH] formdata: Check if length is too large for memory - If the size of the length type (curl_off_t) is greater than the size of the size_t type then check before allocating memory to make sure the value of length will fit in a size_t without overflow. If it doesn't then return CURLE_BAD_FUNCTION_ARGUMENT. Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679 Reported-by: Steve Holme --- lib/formdata.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/formdata.c b/lib/formdata.c index cb061acb7..113e582a3 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -830,19 +830,26 @@ static CURLcode AddFormData(struct FormData **formp, return CURLE_OUT_OF_MEMORY; newform->next = NULL; + if(length < 0 || (size && *size < 0)) + return CURLE_BAD_FUNCTION_ARGUMENT; + if(type <= FORM_CONTENT) { /* we make it easier for plain strings: */ if(!length) length = strlen((char *)line); +#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T) + else if(length >= (curl_off_t)(size_t)-1) + return CURLE_BAD_FUNCTION_ARGUMENT; +#endif - newform->line = malloc(length+1); + newform->line = malloc((size_t)length+1); if(!newform->line) { free(newform); return CURLE_OUT_OF_MEMORY; } - memcpy(newform->line, line, length); - newform->length = length; - newform->line[length]=0; /* zero terminate for easier debugging */ + memcpy(newform->line, line, (size_t)length); + newform->length = (size_t)length; + newform->line[(size_t)length]=0; /* zero terminate for easier debugging */ } else /* For callbacks and files we don't have any actual data so we just keep a