diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-03-08 10:33:16 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-03-12 07:47:07 +0100 |
commit | d52dc4760f6d9ca1937eefa2093058a952465128 (patch) | |
tree | bd9dcbf19b67a557feafb56075536b283e6a63c7 | |
parent | ddb879c6ae3187dab50430fe0e9b0ba8653204d3 (diff) |
readwrite: make sure excess reads don't go beyond buffer end
CVE-2018-1000122
Bug: https://curl.haxx.se/docs/adv_2018-b047.html
Detected by OSS-fuzz
-rw-r--r-- | lib/transfer.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/transfer.c b/lib/transfer.c index c46ac25f4..fd9af3155 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, } /* if(!header and data to read) */ - if(conn->handler->readwrite && - (excess > 0 && !conn->bits.stream_was_rewound)) { + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { /* Parse the excess data */ k->str += nread; + + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { + /* the excess amount was too excessive(!), make sure + it doesn't read out of buffer */ + excess = &k->buf[data->set.buffer_size] - k->str; + } nread = (ssize_t)excess; result = conn->handler->readwrite(data, conn, &nread, &readmore); |