formdata: Check if length is too large for memory

- If the size of the length type (curl_off_t) is greater than the size
of the size_t type then check before allocating memory to make sure the
value of length will fit in a size_t without overflow. If it doesn't
then return CURLE_BAD_FUNCTION_ARGUMENT.

Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
Reported-by: Steve Holme

diff --git a/lib/formdata.c b/lib/formdata.c
index cb061acb795403218ed89d0665c313ae67c2af75..113e582a3b80e0e3dced9983b9dd2e0e2feba09e 100644 (file)
--- a/lib/formdata.c
+++ b/lib/formdata.c
@@ -830,19 +830,26 @@ static CURLcode AddFormData(struct FormData **formp,
     return CURLE_OUT_OF_MEMORY;
   newform->next = NULL;
 
+  if(length < 0 || (size && *size < 0))
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
   if(type <= FORM_CONTENT) {
     /* we make it easier for plain strings: */
     if(!length)
       length = strlen((char *)line);
+#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T)
+    else if(length >= (curl_off_t)(size_t)-1)
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+#endif
 
-    newform->line = malloc(length+1);
+    newform->line = malloc((size_t)length+1);
     if(!newform->line) {
       free(newform);
       return CURLE_OUT_OF_MEMORY;
     }
-    memcpy(newform->line, line, length);
-    newform->length = length;
-    newform->line[length]=0; /* zero terminate for easier debugging */
+    memcpy(newform->line, line, (size_t)length);
+    newform->length = (size_t)length;
+    newform->line[(size_t)length]=0; /* zero terminate for easier debugging */
   }
   else
     /* For callbacks and files we don't have any actual data so we just keep a