mirror of https://github.com/moparisthebest/curl
readwrite: make sure excess reads don't go beyond buffer end
CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz
This commit is contained in:
parent
ddb879c6ae
commit
d52dc4760f
|
@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
|
|||
|
||||
} /* if(!header and data to read) */
|
||||
|
||||
if(conn->handler->readwrite &&
|
||||
(excess > 0 && !conn->bits.stream_was_rewound)) {
|
||||
if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
|
||||
/* Parse the excess data */
|
||||
k->str += nread;
|
||||
|
||||
if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
|
||||
/* the excess amount was too excessive(!), make sure
|
||||
it doesn't read out of buffer */
|
||||
excess = &k->buf[data->set.buffer_size] - k->str;
|
||||
}
|
||||
nread = (ssize_t)excess;
|
||||
|
||||
result = conn->handler->readwrite(data, conn, &nread, &readmore);
|
||||
|
|
Loading…
Reference in New Issue