From a2926ebe7ca9e619f9d85d9b1d12d90f1fc714f4 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 14 Nov 2007 00:48:11 +0000 Subject: [PATCH] Fix a variable potential wrapping in add_buffer() when using absolutely huge send buffer sizes --- CHANGES | 4 ++++ RELEASE-NOTES | 1 + lib/http.c | 21 ++++++++++++++++++++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index cb81d6d27..459d657b4 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,10 @@ Changelog +Yang Tse (14 Nov 2007) +- Fix a variable potential wrapping in add_buffer() when using absolutely + huge send buffer sizes. + Daniel S (13 Nov 2007) - Fixed a remaining problem with doing SFTP directory listings on a re-used persistent connection. Mentioned by Immanuel Gregoire on the mailing list. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ffe2e4431..2be825413 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -20,6 +20,7 @@ This release includes the following bugfixes: o curl.h version 7.17.1 problem when building C++ apps with MSVC o SFTP and SCP use persistent connections o segfault on bad URL + o variable wrapping when using absolutely huge send buffer sizes This release includes the following known bugs: diff --git a/lib/http.c b/lib/http.c index 7d9c80b00..e7b39ad4b 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1083,9 +1083,28 @@ CURLcode add_buffer(send_buffer *in, const void *inptr, size_t size) char *new_rb; size_t new_size; + if(~size < in->size_used) { + /* If resulting used size of send buffer would wrap size_t, cleanup + the whole buffer and return error. Otherwise the required buffer + size will fit into a single allocatable memory chunk */ + Curl_safefree(in->buffer); + free(in); + return CURLE_OUT_OF_MEMORY; + } + if(!in->buffer || ((in->size_used + size) > (in->size_max - 1))) { - new_size = (in->size_used+size)*2; + + /* If current buffer size isn't enough to hold the result, use a + buffer size that doubles the required size. If this new size + would wrap size_t, then just use the largest possible one */ + + if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) || + (~(size*2) < (in->size_used*2))) + new_size = (size_t)-1; + else + new_size = (in->size_used+size)*2; + if(in->buffer) /* we have a buffer, enlarge the existing one */ new_rb = (char *)realloc(in->buffer, new_size); -- 2.40.0