formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used

The internal function that's used to detect known file extensions for
the default Content-Type got the the wrong pointer passed in when
CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
strlen() would be used which could lead to an out-of-bounds read (and
thus segfault). In most cases it would only lead to it not finding or
using the correct default content-type.

It also showed that test 554 and test 587 were testing for the
previous/wrong behavior and now they're updated as well.

Bug: http://curl.haxx.se/bug/view.cgi?id=1262
Reported-by: Konstantin Isakov

diff --git a/lib/formdata.c b/lib/formdata.c
index 9d90f72e4f95785b59c45e586364405e1a3ae43e..f718a3e4e9c070cd1b337203ed086c9a38998de0 100644 (file)
--- a/lib/formdata.c
+++ b/lib/formdata.c
@@ -168,8 +168,8 @@ static FormInfo * AddFormInfo(char *value,
  * Returns some valid contenttype for filename.
  *
  ***************************************************************************/
-static const char * ContentTypeForFilename (const char *filename,
-                                            const char *prevtype)
+static const char *ContentTypeForFilename(const char *filename,
+                                          const char *prevtype)
 {
   const char *contenttype = NULL;
   unsigned int i;
@@ -178,7 +178,7 @@ static const char * ContentTypeForFilename (const char *filename,
    * extensions and pick the first we match!
    */
   struct ContentType {
-    char extension[6];
+    const char *extension;
     const char *type;
   };
   static const struct ContentType ctts[]={
@@ -667,9 +667,11 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost,
         if(((form->flags & HTTPPOST_FILENAME) ||
             (form->flags & HTTPPOST_BUFFER)) &&
            !form->contenttype ) {
+          char *f = form->flags & HTTPPOST_BUFFER?
+            form->showfilename : form->value;
+
           /* our contenttype is missing */
-          form->contenttype
-            = strdup(ContentTypeForFilename(form->value, prevtype));
+          form->contenttype = strdup(ContentTypeForFilename(f, prevtype));
           if(!form->contenttype) {
             return_value = CURL_FORMADD_MEMORY;
             break;

diff --git a/tests/data/test554 b/tests/data/test554
index 8c6b762ef72a7bd1a5d4beb92d1dce4910b1bdd0..b442230c9b679e34ccc24a88647335b557e3634f 100644 (file)
--- a/tests/data/test554
+++ b/tests/data/test554
@@ -45,7 +45,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
 POST /554 HTTP/1.1\r
 Host: %HOSTIP:%HTTPPORT\r
 Accept: */*\r
-Content-Length: 732\r
+Content-Length: 718\r
 Expect: 100-continue\r
 Content-Type: multipart/form-data; boundary=----------------------------\r
 \r
@@ -69,7 +69,7 @@ Content-Disposition: form-data; name="submit"
 send\r
 ------------------------------\r
 Content-Disposition: form-data; name="somename"; filename="somefile.txt"\r
-Content-Type: application/octet-stream\r
+Content-Type: text/plain\r
 \r
 blah blah\r
 --------------------------------\r

diff --git a/tests/data/test587 b/tests/data/test587
index d936372c5ea56729db09d0fc99c8379fdb139bd3..e73cc2cf72ba1b05148cacb4d8a105a68d3a425f 100644 (file)
--- a/tests/data/test587
+++ b/tests/data/test587
@@ -35,7 +35,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
 POST /587 HTTP/1.1\r
 Host: %HOSTIP:%HTTPPORT\r
 Accept: */*\r
-Content-Length: 732\r
+Content-Length: 718\r
 Expect: 100-continue\r
 Content-Type: multipart/form-data; boundary=----------------------------\r
 \r