forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2018-1000122.patch
42 lines (35 loc) · 1.28 KB
/
CVE-2018-1000122.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Thu, 8 Mar 2018 10:33:16 +0100
Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
CVE-2018-1000122
Bug: https://curl.se/docs/adv_2018-b047.html
Detected by OSS-fuzz
---
lib/transfer.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/lib/transfer.c b/lib/transfer.c
index c46ac25f4..fd9af3155 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -806,14 +806,19 @@ static CURLcode readwrite_data(struct Curl_easy *data,
return result;
}
} /* if(!header and data to read) */
- if(conn->handler->readwrite &&
- (excess > 0 && !conn->bits.stream_was_rewound)) {
+ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
/* Parse the excess data */
k->str += nread;
+
+ if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+ /* the excess amount was too excessive(!), make sure
+ it doesn't read out of buffer */
+ excess = &k->buf[data->set.buffer_size] - k->str;
+ }
nread = (ssize_t)excess;
result = conn->handler->readwrite(data, conn, &nread, &readmore);
if(result)
return result;
--
2.16.1