aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-12-07 02:43:24 -0500
committerJay Satiro <raysatiro@yahoo.com>2015-12-07 02:43:24 -0500
commit738b0ba09eb0b9e662dea3c436a88d505195f5e4 (patch)
treed28ccc2a83e4929d3d86b238443b2aaa1578157b
parenta62000ecc9edf38a843cd8da7868fa976fec1ba2 (diff)
formdata: Check if length is too large for memory
- If the size of the length type (curl_off_t) is greater than the size of the size_t type then check before allocating memory to make sure the value of length will fit in a size_t without overflow. If it doesn't then return CURLE_BAD_FUNCTION_ARGUMENT. Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679 Reported-by: Steve Holme
-rw-r--r--lib/formdata.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/formdata.c b/lib/formdata.c
index cb061acb7..113e582a3 100644
--- a/lib/formdata.c
+++ b/lib/formdata.c
@@ -830,19 +830,26 @@ static CURLcode AddFormData(struct FormData **formp,
return CURLE_OUT_OF_MEMORY;
newform->next = NULL;
+ if(length < 0 || (size && *size < 0))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+
if(type <= FORM_CONTENT) {
/* we make it easier for plain strings: */
if(!length)
length = strlen((char *)line);
+#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T)
+ else if(length >= (curl_off_t)(size_t)-1)
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+#endif
- newform->line = malloc(length+1);
+ newform->line = malloc((size_t)length+1);
if(!newform->line) {
free(newform);
return CURLE_OUT_OF_MEMORY;
}
- memcpy(newform->line, line, length);
- newform->length = length;
- newform->line[length]=0; /* zero terminate for easier debugging */
+ memcpy(newform->line, line, (size_t)length);
+ newform->length = (size_t)length;
+ newform->line[(size_t)length]=0; /* zero terminate for easier debugging */
}
else
/* For callbacks and files we don't have any actual data so we just keep a