mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 15:48:49 -05:00
Fix a variable potential wrapping in add_buffer() when using absolutely
huge send buffer sizes
This commit is contained in:
parent
c508d70258
commit
a2926ebe7c
4
CHANGES
4
CHANGES
@ -6,6 +6,10 @@
|
||||
|
||||
Changelog
|
||||
|
||||
Yang Tse (14 Nov 2007)
|
||||
- Fix a variable potential wrapping in add_buffer() when using absolutely
|
||||
huge send buffer sizes.
|
||||
|
||||
Daniel S (13 Nov 2007)
|
||||
- Fixed a remaining problem with doing SFTP directory listings on a re-used
|
||||
persistent connection. Mentioned by Immanuel Gregoire on the mailing list.
|
||||
|
@ -20,6 +20,7 @@ This release includes the following bugfixes:
|
||||
o curl.h version 7.17.1 problem when building C++ apps with MSVC
|
||||
o SFTP and SCP use persistent connections
|
||||
o segfault on bad URL
|
||||
o variable wrapping when using absolutely huge send buffer sizes
|
||||
|
||||
This release includes the following known bugs:
|
||||
|
||||
|
21
lib/http.c
21
lib/http.c
@ -1083,9 +1083,28 @@ CURLcode add_buffer(send_buffer *in, const void *inptr, size_t size)
|
||||
char *new_rb;
|
||||
size_t new_size;
|
||||
|
||||
if(~size < in->size_used) {
|
||||
/* If resulting used size of send buffer would wrap size_t, cleanup
|
||||
the whole buffer and return error. Otherwise the required buffer
|
||||
size will fit into a single allocatable memory chunk */
|
||||
Curl_safefree(in->buffer);
|
||||
free(in);
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
if(!in->buffer ||
|
||||
((in->size_used + size) > (in->size_max - 1))) {
|
||||
new_size = (in->size_used+size)*2;
|
||||
|
||||
/* If current buffer size isn't enough to hold the result, use a
|
||||
buffer size that doubles the required size. If this new size
|
||||
would wrap size_t, then just use the largest possible one */
|
||||
|
||||
if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) ||
|
||||
(~(size*2) < (in->size_used*2)))
|
||||
new_size = (size_t)-1;
|
||||
else
|
||||
new_size = (in->size_used+size)*2;
|
||||
|
||||
if(in->buffer)
|
||||
/* we have a buffer, enlarge the existing one */
|
||||
new_rb = (char *)realloc(in->buffer, new_size);
|
||||
|
Loading…
Reference in New Issue
Block a user