diff options
author | Dan Fandrich <dan@coneharvesters.com> | 2017-03-11 10:59:34 +0100 |
---|---|---|
committer | Dan Fandrich <dan@coneharvesters.com> | 2017-03-12 08:28:31 +0100 |
commit | 1890d59905414ab84a35892b2e45833654aa5c13 (patch) | |
tree | e940c3226a4b39bb72760ac21a3d83b06af7965c | |
parent | d2bcf1e3e247d116dc96bd3ea32056e3f089449c (diff) |
tool_writeout: fixed a buffer read overrun on --write-out
If a % ended the statement, the string's trailing NUL would be skipped
and memory past the end of the buffer would be accessed and potentially
displayed as part of the --write-out output. Added tests 1440 and 1441
to check for this kind of condition.
Reported-by: Brian Carpenter
-rw-r--r-- | src/tool_writeout.c | 2 | ||||
-rw-r--r-- | tests/data/Makefile.inc | 2 | ||||
-rw-r--r-- | tests/data/test1440 | 31 | ||||
-rw-r--r-- | tests/data/test1441 | 31 |
4 files changed, 64 insertions, 2 deletions
diff --git a/src/tool_writeout.c b/src/tool_writeout.c index 2fb77742a..7843182f2 100644 --- a/src/tool_writeout.c +++ b/src/tool_writeout.c @@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) double doubleinfo; while(ptr && *ptr) { - if('%' == *ptr) { + if('%' == *ptr && ptr[1]) { if('%' == ptr[1]) { /* an escaped %-letter */ fputc('%', stream); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 7742bcfec..a6a06b81f 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -153,7 +153,7 @@ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ test1424 \ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ -test1436 test1437 test1438 test1439 \ +test1436 test1437 test1438 test1439 test1440 test1441 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ diff --git a/tests/data/test1440 b/tests/data/test1440 new file mode 100644 index 000000000..7ed0c4d5f --- /dev/null +++ b/tests/data/test1440 @@ -0,0 +1,31 @@ +<testcase> +<info> +<keywords> +--write-out +</keywords> +</info> +# Server-side +<reply> +</reply> + +# Client-side +<client> +<server> +file +</server> + +<name> +Check --write-out with trailing %{ +</name> +<command> +file://localhost/%PWD/log/ --write-out '%{' +</command> +</client> + +# Verify data +<verify> +<stdout nonewline="yes"> +%{ +</stdout> +</verify> +</testcase> diff --git a/tests/data/test1441 b/tests/data/test1441 new file mode 100644 index 000000000..6e253a690 --- /dev/null +++ b/tests/data/test1441 @@ -0,0 +1,31 @@ +<testcase> +<info> +<keywords> +--write-out +</keywords> +</info> +# Server-side +<reply> +</reply> + +# Client-side +<client> +<server> +file +</server> + +<name> +Check --write-out with trailing % +</name> +<command> +file://localhost/%PWD/log/ --write-out '%' +</command> +</client> + +# Verify data +<verify> +<stdout nonewline="yes"> +% +</stdout> +</verify> +</testcase> |