1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 15:48:49 -05:00

Fix a variable potential wrapping in add_buffer() when using absolutely

huge send buffer sizes
This commit is contained in:
Yang Tse 2007-11-14 00:48:11 +00:00
parent c508d70258
commit a2926ebe7c
3 changed files with 25 additions and 1 deletions

View File

@ -6,6 +6,10 @@
Changelog
Yang Tse (14 Nov 2007)
- Fix a variable potential wrapping in add_buffer() when using absolutely
huge send buffer sizes.
Daniel S (13 Nov 2007)
- Fixed a remaining problem with doing SFTP directory listings on a re-used
persistent connection. Mentioned by Immanuel Gregoire on the mailing list.

View File

@ -20,6 +20,7 @@ This release includes the following bugfixes:
o curl.h version 7.17.1 problem when building C++ apps with MSVC
o SFTP and SCP use persistent connections
o segfault on bad URL
o variable wrapping when using absolutely huge send buffer sizes
This release includes the following known bugs:

View File

@ -1083,9 +1083,28 @@ CURLcode add_buffer(send_buffer *in, const void *inptr, size_t size)
char *new_rb;
size_t new_size;
if(~size < in->size_used) {
/* If resulting used size of send buffer would wrap size_t, cleanup
the whole buffer and return error. Otherwise the required buffer
size will fit into a single allocatable memory chunk */
Curl_safefree(in->buffer);
free(in);
return CURLE_OUT_OF_MEMORY;
}
if(!in->buffer ||
((in->size_used + size) > (in->size_max - 1))) {
new_size = (in->size_used+size)*2;
/* If current buffer size isn't enough to hold the result, use a
buffer size that doubles the required size. If this new size
would wrap size_t, then just use the largest possible one */
if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) ||
(~(size*2) < (in->size_used*2)))
new_size = (size_t)-1;
else
new_size = (in->size_used+size)*2;
if(in->buffer)
/* we have a buffer, enlarge the existing one */
new_rb = (char *)realloc(in->buffer, new_size);