- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a

  chunked-encoding trailer.

  http://curl.haxx.se/bug/view.cgi?id=2958474

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/http_chunks.c b/lib/http_chunks.c
index ee35d6603..3649f9ee0 100644
--- a/lib/http_chunks.c
+++ b/lib/http_chunks.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -306,14 +306,17 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
       /* conn->trailer is assumed to be freed in url.c on a
          connection basis */
       if(conn->trlPos >= conn->trlMax) {
+        /* in this logic we always allocate one byte more than trlMax
+           contains, just because CHUNK_TRAILER_POSTCR will append two bytes
+           so we need to make sure we have room for an extra byte */
         char *ptr;
         if(conn->trlMax) {
           conn->trlMax *= 2;
-          ptr = realloc(conn->trailer,conn->trlMax);
+          ptr = realloc(conn->trailer, conn->trlMax + 1);
         }
         else {
           conn->trlMax=128;
-          ptr = malloc(conn->trlMax);
+          ptr = malloc(conn->trlMax + 1);
         }
         if(!ptr)
           return CHUNKE_OUT_OF_MEMORY;