readwrite: make sure excess reads don't go beyond buffer end

CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz
author: Daniel Stenberg <daniel@haxx.se> 2018-03-08 10:33:16 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-03-12 07:47:07 +0100
commit: d52dc4760f6d9ca1937eefa2093058a952465128 (patch)
tree: bd9dcbf19b67a557feafb56075536b283e6a63c7 /lib/transfer.c
parent: ddb879c6ae3187dab50430fe0e9b0ba8653204d3 (diff)
download: curl-d52dc4760f6d9ca1937eefa2093058a952465128.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/transfer.c b/lib/transfer.c
index c46ac25f4..fd9af3155 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
 
     } /* if(!header and data to read) */
 
-    if(conn->handler->readwrite &&
-       (excess > 0 && !conn->bits.stream_was_rewound)) {
+    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
       /* Parse the excess data */
       k->str += nread;
+
+      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+        /* the excess amount was too excessive(!), make sure
+           it doesn't read out of buffer */
+        excess = &k->buf[data->set.buffer_size] - k->str;
+      }
       nread = (ssize_t)excess;
 
       result = conn->handler->readwrite(data, conn, &nread, &readmore);
author	Daniel Stenberg <daniel@haxx.se>	2018-03-08 10:33:16 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-03-12 07:47:07 +0100
commit	d52dc4760f6d9ca1937eefa2093058a952465128 (patch)
tree	bd9dcbf19b67a557feafb56075536b283e6a63c7 /lib/transfer.c
parent	ddb879c6ae3187dab50430fe0e9b0ba8653204d3 (diff)
download	curl-d52dc4760f6d9ca1937eefa2093058a952465128.tar.gz