diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2015-12-07 02:43:24 -0500 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2015-12-07 02:43:24 -0500 |
commit | 738b0ba09eb0b9e662dea3c436a88d505195f5e4 (patch) | |
tree | d28ccc2a83e4929d3d86b238443b2aaa1578157b | |
parent | a62000ecc9edf38a843cd8da7868fa976fec1ba2 (diff) |
formdata: Check if length is too large for memory
- If the size of the length type (curl_off_t) is greater than the size
of the size_t type then check before allocating memory to make sure the
value of length will fit in a size_t without overflow. If it doesn't
then return CURLE_BAD_FUNCTION_ARGUMENT.
Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
Reported-by: Steve Holme
-rw-r--r-- | lib/formdata.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/formdata.c b/lib/formdata.c index cb061acb7..113e582a3 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -830,19 +830,26 @@ static CURLcode AddFormData(struct FormData **formp, return CURLE_OUT_OF_MEMORY; newform->next = NULL; + if(length < 0 || (size && *size < 0)) + return CURLE_BAD_FUNCTION_ARGUMENT; + if(type <= FORM_CONTENT) { /* we make it easier for plain strings: */ if(!length) length = strlen((char *)line); +#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T) + else if(length >= (curl_off_t)(size_t)-1) + return CURLE_BAD_FUNCTION_ARGUMENT; +#endif - newform->line = malloc(length+1); + newform->line = malloc((size_t)length+1); if(!newform->line) { free(newform); return CURLE_OUT_OF_MEMORY; } - memcpy(newform->line, line, length); - newform->length = length; - newform->line[length]=0; /* zero terminate for easier debugging */ + memcpy(newform->line, line, (size_t)length); + newform->length = (size_t)length; + newform->line[(size_t)length]=0; /* zero terminate for easier debugging */ } else /* For callbacks and files we don't have any actual data so we just keep a |