diff options
| author | Yang Tse <yangsita@gmail.com> | 2007-11-14 00:48:11 +0000 |
|---|---|---|
| committer | Yang Tse <yangsita@gmail.com> | 2007-11-14 00:48:11 +0000 |
| commit | a2926ebe7ca9e619f9d85d9b1d12d90f1fc714f4 (patch) | |
| tree | 5fada2c0ebcccb7f4b6798c698da6787e184363e /lib | |
| parent | c508d702586d50198213a457023aa8a95c73f279 (diff) | |
| download | curl-a2926ebe7ca9e619f9d85d9b1d12d90f1fc714f4.tar.gz | |
Fix a variable potential wrapping in add_buffer() when using absolutely
huge send buffer sizes
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/http.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c index 7d9c80b00..e7b39ad4b 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1083,9 +1083,28 @@ CURLcode add_buffer(send_buffer *in, const void *inptr, size_t size) char *new_rb; size_t new_size; + if(~size < in->size_used) { + /* If resulting used size of send buffer would wrap size_t, cleanup + the whole buffer and return error. Otherwise the required buffer + size will fit into a single allocatable memory chunk */ + Curl_safefree(in->buffer); + free(in); + return CURLE_OUT_OF_MEMORY; + } + if(!in->buffer || ((in->size_used + size) > (in->size_max - 1))) { - new_size = (in->size_used+size)*2; + + /* If current buffer size isn't enough to hold the result, use a + buffer size that doubles the required size. If this new size + would wrap size_t, then just use the largest possible one */ + + if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) || + (~(size*2) < (in->size_used*2))) + new_size = (size_t)-1; + else + new_size = (in->size_used+size)*2; + if(in->buffer) /* we have a buffer, enlarge the existing one */ new_rb = (char *)realloc(in->buffer, new_size); |