moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

aprintf: detect wrap-around when growing allocation

Browse Source 
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.

CVE-2016-8618

Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
This commit is contained in:
Daniel Stenberg 2016-09-28 10:15:34 +02:00
parent ee4f76606c
commit 8732ec40db
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/mprintf.c
View File

@ -1036,16 +1036,19 @@ static int alloc_addbyter(int output, FILE *data)
infop->len =0;
}
else if(infop->len+1 >= infop->alloc) {
char *newptr;
char *newptr = NULL;
size_t newsize = infop->alloc*2;
newptr = realloc(infop->buffer, infop->alloc*2);
/* detect wrap-around or other overflow problems */
if(newsize > infop->alloc)
newptr = realloc(infop->buffer, newsize);
if(!newptr) {
infop->fail = 1;
return -1; /* fail */
}
infop->buffer = newptr;
infop->alloc *= 2;
infop->alloc = newsize;
}
infop->buffer[ infop->len ] = outc;