Fixed a buffer overflow problem in Curl_proxyCONNECT that could occur

when a server responded with long headers and data.  Luckily, the buffer
overflowed into another unused buffer, so no actual harm was done.
Added test cases 1060 and 1061 to verify.

1 files changed, 3 insertions, 0 deletions

diff --git a/lib/http.c b/lib/http.c
index fdaf6f82f..42aa45718 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1474,6 +1474,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
         case 0: /* timeout */
           break;
         default:
+          DEBUGASSERT(ptr+BUFSIZE-nread <= data->state.buffer+BUFSIZE+1);
           res = Curl_read(conn, tunnelsocket, ptr, BUFSIZE-nread, &gotbytes);
           if(res< 0)
             /* EWOULDBLOCK */
@@ -1506,6 +1507,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
               /* This means we are currently ignoring a response-body */
 
               nread = 0; /* make next read start over in the read buffer */
+              ptr=data->state.buffer;
               if(cl) {
                 /* A Content-Length based body: simply count down the counter
                    and make sure to break out of the loop when we're done! */
@@ -1565,6 +1567,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
                     /* end of response-headers from the proxy */
                     nread = 0; /* make next read start over in the read
                                   buffer */
+                    ptr=data->state.buffer;
                     if((407 == k->httpcode) && !data->state.authproblem) {
                       /* If we get a 407 response code with content length
                          when we have no auth problem, we must ignore the