diff options
| -rw-r--r-- | CHANGES | 13 | ||||
| -rw-r--r-- | RELEASE-NOTES | 4 | ||||
| -rw-r--r-- | lib/content_encoding.c | 2 |
3 files changed, 17 insertions, 2 deletions
@@ -6,6 +6,19 @@ Changelog +Daniel Stenberg (9 Feb 2010) +- When downloading compressed content over HTTP and the app as asked libcurl + to automatically uncompress it with the CURLOPT_ENCODING option, libcurl + could wrongly provide the callback with more data than what the maximum + documented amount. An application could thus get tricked into badness if the + maximum limit was trusted to be enforced by libcurl itself (as it is + documented). + + This is further detailed and explained in the libcurl security advisory + 20100209 at + + http://curl.haxx.se/docs/adv_20100209.html + Daniel Fandrich (3 Feb 2010) - Changed the Watcom makefiles to make them easier to keep in sync with Makefile.inc since that can't be included directly. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 22f362085..fceaafc64 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -52,6 +52,8 @@ This release includes the following bugfixes: o FTP file size checks with ASCII transfers o HTTP Cookie: headers sort cookies based on specified path lengths o CURLM_CALL_MULTI_PERFORM fix for multi socket timeout calls + o libcurl data callback excessive length: + http://curl.haxx.se/docs/adv_20100209.html This release includes the following known bugs: @@ -66,6 +68,6 @@ advice from friends like these: Markus Koetter, Chad Monroe, Martin Storsjo, Siegfried Gyuricsko, Jon Nelson, Julien Chaffraix, Renato Botelho, Peter Pentchev, Ingmar Runge, Johan van Selst, Charles Kerr, Gil Weber, David McCreedy, Chris Conroy, - Bjorn Stenberg, Mike Crowe, Joshua Kwan, Daniel Fandrich + Bjorn Stenberg, Mike Crowe, Joshua Kwan, Daniel Fandrich, Wesley Miaw Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/content_encoding.c b/lib/content_encoding.c index 85362da41..b8f57d001 100644 --- a/lib/content_encoding.c +++ b/lib/content_encoding.c @@ -40,7 +40,7 @@ (doing so will reduce code size slightly). */ #define OLD_ZLIB_SUPPORT 1 -#define DSIZ 0x10000 /* buffer size for decompressed data */ +#define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */ #define GZIP_MAGIC_0 0x1f #define GZIP_MAGIC_1 0x8b |