James Bursa found an ERRORBUFFFER overflow

diff --git a/CHANGES b/CHANGES
index 690eedb7e204ded84c3f6a303071ef7e972fb7cc..e9b6c64c6881fe50ab841105e08db15781a22ee8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,13 @@
                                   Changelog
 
 
+Daniel (26 October)
+- James Bursa found out that curl_msnprintf() could write the trailing
+  zero-byte outside its given buffer size. This could happen if you generated
+  a very long error message as then libcurl would overwrite the ERRORBUFFER
+  with one byte. Using a non-existing very long local file:// name is one case
+  that could make this occur.
+
 Daniel (24 October)
 - David Hull filed bug report #829827. It identified a problem with -C - if
   the full file already was downloaded and thus the server responded with a

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 299f87b30963b06e964494557d8d522b26bac879..f5d1cd081b3c48db7912a9a8c83d82750a9866ed 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -24,6 +24,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o a rare ERRORBUFFER single-byte overflow was fixed
  o HTTP-resuming an already downloaded file works better
  o builds better on Solaris 8+ with gcc
  o --disable-eprt works now
@@ -81,6 +82,7 @@ advice from friends like these:
  Neil Spring, Siddhartha Prakash Jain, Jon Turner, Vincent Bronner, Shard,
  Jeremy Friesner, Florian Schoppmann, Neil Dunbar, Frank Ticheler, Lachlan
  O'Dea, Dirk Manske, Domenico Andreoli, Gisle Vanem, Kimmo Kinnunen, Andrew
- Fuller, Georg Horn, Andrés García, Dylan Ellicott, Kevin Roth, David Hull
+ Fuller, Georg Horn, Andrés García, Dylan Ellicott, Kevin Roth, David Hull,
+ James Bursa
  
         Thanks! (and sorry if I forgot to mention someone)