curl_formparse() should no longer have any size-limit in the data section

after this patch from Peter Todd

1 files changed, 10 insertions, 2 deletions

diff --git a/lib/formdata.c b/lib/formdata.c
index 41629cc75..06281f422 100644
--- a/lib/formdata.c
+++ b/lib/formdata.c
@@ -102,7 +102,7 @@ int FormParse(char *input,
   /* nextarg MUST be a string in the format 'name=contents' and we'll
      build a linked list with the info */
   char name[256];
-  char contents[4096]="";
+  char *contents;
   char major[128];
   char minor[128];
   long flags = 0;
@@ -115,7 +115,12 @@ int FormParse(char *input,
   struct HttpPost *subpost; /* a sub-node */
   unsigned int i;
 
-  if(1 <= sscanf(input, "%255[^=]=%4095[^\n]", name, contents)) {
+  /* Preallocate contents to the length of input to make sure we don't
+     overwrite anything. */
+  contents = malloc(strlen(input));
+  contents[0] = '\000';
+ 
+  if(1 <= sscanf(input, "%255[^=]=%[^\n]", name, contents)) {
     /* the input was using the correct format */
     contp = contents;
 
@@ -156,6 +161,7 @@ int FormParse(char *input,
 	    if(2 != sscanf(type, "%127[^/]/%127[^,\n]",
 			   major, minor)) {
 	      fprintf(stderr, "Illegally formatted content-type field!\n");
+              free(contents);
 	      return 2; /* illegal content-type syntax! */
 	    }
 	    /* now point beyond the content-type specifier */
@@ -287,8 +293,10 @@ int FormParse(char *input,
   }
   else {
     fprintf(stderr, "Illegally formatted input field!\n");
+    free(contents);
     return 1;
   }
+  free(contents);
   return 0;
 }