diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2017-10-07 00:11:31 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2017-10-22 16:02:43 +0200 |
| commit | 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 (patch) | |
| tree | e0947cfcadc5d4fd4621dcc1a794a6a8e26fbb17 | |
| parent | 769647e714b8da41bdb72720bf02dce56033e02e (diff) | |
| download | curl-13c9a9ded3ae744a1e11cbc14e9146d9fa427040.tar.gz | |
imap: if a FETCH response has no size, don't call write callback
CVE-2017-1000257
Reported-by: Brian Carpenter and 0xd34db347
Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
| -rw-r--r-- | lib/imap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/imap.c b/lib/imap.c index 954d18f37..baa31a2f8 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -1126,6 +1126,11 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, /* The conversion from curl_off_t to size_t is always fine here */ chunk = (size_t)size; + if(!chunk) { + /* no size, we're done with the data */ + state(conn, IMAP_STOP); + return CURLE_OK; + } result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); if(result) return result; |