aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/tool_cb_hdr.c23
-rw-r--r--src/tool_cb_wrt.c7
2 files changed, 27 insertions, 3 deletions
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
index 2643ad2cf..e90a4e589 100644
--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
@@ -30,6 +30,7 @@
#include "curlx.h"
#include "tool_cfgable.h"
+#include "tool_msgs.h"
#include "tool_cb_hdr.h"
#include "memdebug.h" /* keep this as LAST include */
@@ -47,6 +48,21 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
const size_t cb = size * nmemb;
const char *end = (char*)ptr + cb;
+ /*
+ * Once that libcurl has called back tool_header_cb() the returned value
+ * is checked against the amount that was intended to be written, if
+ * it does not match then it fails with CURLE_WRITE_ERROR. So at this
+ * point returning a value different from sz*nmemb indicates failure.
+ */
+ size_t failure = (size * nmemb) ? 0 : 1;
+
+#ifdef DEBUGBUILD
+ if(sz * nmemb > (size_t)CURL_MAX_WRITE_SIZE) {
+ warnf(config, "Header data exceeds single call write limit!\n");
+ return failure;
+ }
+#endif
+
if(cb > 20 && checkprefix("Content-disposition:", str)) {
const char *p = str + 20;
@@ -74,12 +90,13 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
*/
len = (ssize_t)cb - (p - str);
filename = parse_filename(p, len);
- /* TODO: OOM handling - return (size_t)-1 ? */
if(filename) {
outs->filename = filename;
outs->alloc_filename = TRUE;
break;
}
+ else
+ return failure;
}
}
@@ -157,11 +174,11 @@ static char *parse_filename(const char *ptr, size_t len)
if(copy != p)
memmove(copy, p, strlen(p) + 1);
- /* in case we built curl debug enabled, we allow an evironment variable
+ /* in case we built debug enabled, we allow an evironment variable
* named CURL_TESTDIR to prefix the given file name to put it into a
* specific directory
*/
-#ifdef CURLDEBUG
+#ifdef DEBUGBUILD
{
char *tdir = curlx_getenv("CURL_TESTDIR");
if(tdir) {
diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c
index 3a2cd791a..1889080de 100644
--- a/src/tool_cb_wrt.c
+++ b/src/tool_cb_wrt.c
@@ -51,6 +51,13 @@ size_t tool_write_cb(void *buffer, size_t sz, size_t nmemb, void *userdata)
*/
const size_t err_rc = (sz * nmemb) ? 0 : 1;
+#ifdef DEBUGBUILD
+ if(sz * nmemb > (size_t)CURL_MAX_WRITE_SIZE) {
+ warnf(config, "Data size exceeds single call write limit!\n");
+ return err_rc; /* Failure */
+ }
+#endif
+
if(!out->stream) {
out->bytes = 0; /* nothing written yet */
if(!out->filename) {