diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-09-28 10:15:34 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-31 08:46:35 +0100 |
commit | 8732ec40db652c53fa58cd13e2acb8eab6e40874 (patch) | |
tree | 5fa2321f166bbacd895831857c9e8eb5278139e2 /lib/mprintf.c | |
parent | ee4f76606cfa4ee068bf28edd37c8dae7e8db317 (diff) | |
download | curl-8732ec40db652c53fa58cd13e2acb8eab6e40874.tar.gz |
aprintf: detect wrap-around when growing allocation
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.
CVE-2016-8618
Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
Diffstat (limited to 'lib/mprintf.c')
-rw-r--r-- | lib/mprintf.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/mprintf.c b/lib/mprintf.c index dbedeaa18..2c88aa833 100644 --- a/lib/mprintf.c +++ b/lib/mprintf.c @@ -1036,16 +1036,19 @@ static int alloc_addbyter(int output, FILE *data) infop->len =0; } else if(infop->len+1 >= infop->alloc) { - char *newptr; + char *newptr = NULL; + size_t newsize = infop->alloc*2; - newptr = realloc(infop->buffer, infop->alloc*2); + /* detect wrap-around or other overflow problems */ + if(newsize > infop->alloc) + newptr = realloc(infop->buffer, newsize); if(!newptr) { infop->fail = 1; return -1; /* fail */ } infop->buffer = newptr; - infop->alloc *= 2; + infop->alloc = newsize; } infop->buffer[ infop->len ] = outc; |