delta/curl.git/lib/mprintf.c, branch bagder/configure-dis-https-proxy github.com: bagder/curl.git dynbuf: make *addf() not require extra mallocs 2020-09-23T06:54:42+00:00 Daniel Stenberg daniel@haxx.se 2020-09-22T15:28:34+00:00 7e8561e030fcfaba5cd620d7e9c9ab8356163132 ... by introducing a printf() function that appends directly into a dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if the buffer is already big enough it can just printf directly into it. Since this less-malloc version requires tthe use of a library internal printf function, we only provide this version when building libcurl and not for the dynbuf code that is used when building the curl tool. Closes #5998 
... by introducing a printf() function that appends directly into a
dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if
the buffer is already big enough it can just printf directly into it.

Since this less-malloc version requires tthe use of a library internal
printf function, we only provide this version when building libcurl and
not for the dynbuf code that is used when building the curl tool.

Closes #5998
checksrc: verify do-while and spaces between the braces 2020-08-24T14:38:17+00:00 Daniel Stenberg daniel@haxx.se 2020-08-24T07:31:39+00:00 4ebac06106825a5d28be4c38e62732c911168605 Updated mprintf.c to comply Closes #5845 
Updated mprintf.c to comply

Closes #5845
mprintf: Fix stack overflows 2020-07-27T07:43:00+00:00 Tobias Stoeckmann tobias@stoeckmann.org 2020-07-25T15:30:12+00:00 8829703b5a8d595457f3f4954cf09e6d6bae1523 Stack overflows can occur with precisions for integers and floats. Proof of concepts: - curl_mprintf("%d, %.*1$d", 500, 1); - curl_mprintf("%d, %+0500.*1$f", 500, 1); Ideally, compile with -fsanitize=address which makes this undefined behavior a bit more defined for debug purposes. The format strings are valid. The overflows occur due to invalid arguments. If these arguments are variables with contents controlled by an attacker, the function's stack can be corrupted. Also see CVE-2016-9586 which partially fixed the float aspect. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Closes https://github.com/curl/curl/pull/5722 
Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722
mprintf: Fix dollar string handling 2020-07-27T07:42:59+00:00 Tobias Stoeckmann tobias@stoeckmann.org 2020-07-25T15:29:38+00:00 94b03664decf47429ad426afb40ae5fe1aff28cf Verify that specified parameters are in range. If parameters are too large, fail early on and avoid out of boundary accesses. Also do not read behind boundaries of illegal format strings. These are defensive measures since it is expected that format strings are well-formed. Format strings should not be modifiable by user input due to possible generic format string attacks. Closes https://github.com/curl/curl/pull/5722 
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.

Also do not read behind boundaries of illegal format strings.

These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.

Closes https://github.com/curl/curl/pull/5722
source cleanup: remove all custom typedef structs 2020-05-15T06:54:42+00:00 Daniel Stenberg daniel@haxx.se 2020-05-13T22:05:04+00:00 8df455479f8801bbebad8839fc96abbffa711603 - Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public headers and examples - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually typedef different types/structs depending on build conditions. Closes #5338 
 - Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
dynbuf: introduce internal generic dynamic buffer functions 2020-05-04T08:40:39+00:00 Daniel Stenberg daniel@haxx.se 2020-05-02T15:04:08+00:00 ed35d6590e72c23c568af1e3b8ac6e4e2d883888 A common set of functions instead of many separate implementations for creating buffers that can grow when appending data to them. Existing functionality has been ported over. In my early basic testing, the total number of allocations seem at roughly the same amount as before, possibly a few less. See docs/DYNBUF.md for a description of the API. Closes #5300 
A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to them. Existing
functionality has been ported over.

In my early basic testing, the total number of allocations seem at
roughly the same amount as before, possibly a few less.

See docs/DYNBUF.md for a description of the API.

Closes #5300
build: Disable Visual Studio warning "conditional expression is constant" 2019-12-02T00:01:02+00:00 Jay Satiro raysatiro@yahoo.com 2019-11-30T08:29:36+00:00 9c1806ae4684ec5ef1aeb39bb9f15cece1c27256 - Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658 
- Disable warning C4127 "conditional expression is constant" globally
  in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

    #define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658
copyrights: fix copyright year range 2019-11-08T13:51:42+00:00 Daniel Stenberg daniel@haxx.se 2019-11-02T22:41:43+00:00 0bc60d91de0eda5d1c7ec8033a75980f81a33a59 .. because checksrc's copyright year check stopped working. Ref: https://github.com/curl/curl/pull/4547 Closes https://github.com/curl/curl/pull/4549 
.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549
mprintf: avoid unsigned integer overflow warning 2018-11-02T10:07:04+00:00 Tim Rühsen tim.ruehsen@gmx.de 2018-10-28T10:33:27+00:00 e4f2a5bc1b6146f96a8a5778a13ab3d0c6071040 The overflow has no real world impact. Just avoid it for "best practice". Code change suggested by "The Infinnovation Team" and Daniel Stenberg. Closes #3184 
The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184
code style: remove wrong uses of multiple spaces 2017-09-12T11:54:54+00:00 Daniel Stenberg daniel@haxx.se 2017-09-12T07:29:01+00:00 87501e57f1c166cb250111af54e0470ab8b2099c Closes #1878 
Closes #1878