diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2022-01-09 17:00:43 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2022-01-13 10:37:00 +0100 |
| commit | 87d8f29262e41f9babfad1f35592fd642c5b90c6 (patch) | |
| tree | 7a8cfdc9d0d396bb032337a7d53e4ced5a1fc2c5 | |
| parent | c07a71e74f3d0ec8ff940bc56ed8cfb06884532e (diff) | |
| download | curl-bagder/formdata-overflow.tar.gz | |
formdata: avoid size_t => long typecast overflowsbagder/formdata-overflow
Typically a problem for platforms with 32 bit long and 64 bit size_t
Reported-by: Fabian Yamaguchi
Bug: https://hackerone.com/reports/1444539
| -rw-r--r-- | lib/formdata.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/formdata.c b/lib/formdata.c index ac7a0009c..ce11d5b48 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -77,10 +77,15 @@ AddHttpPost(char *name, size_t namelength, struct curl_httppost **last_post) { struct curl_httppost *post; + if(!namelength && name) + namelength = strlen(name); + if((bufferlength > LONG_MAX) || (namelength > LONG_MAX)) + /* avoid overflow in typecasts below */ + return NULL; post = calloc(1, sizeof(struct curl_httppost)); if(post) { post->name = name; - post->namelength = (long)(name?(namelength?namelength:strlen(name)):0); + post->namelength = (long)namelength; post->contents = value; post->contentlen = contentslength; post->buffer = buffer; |