diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2017-10-20 15:15:47 +0200 |
---|---|---|
committer | Tim Rühsen <tim.ruehsen@gmx.de> | 2017-10-26 17:29:38 +0200 |
commit | ba6b44f6745b14dce414761a8e4b35d31b176bba (patch) | |
tree | bb0990c7e93e155d076e575b4c2cb362ad6281fb | |
parent | d892291fb8ace4c3b734ea5125770989c215df3f (diff) | |
download | wget-ba6b44f6745b14dce414761a8e4b35d31b176bba.tar.gz |
Fix heap overflow in HTTP protocol handling (CVE-2017-13090)v1.19.2
* src/retr.c (fd_read_body): Stop processing on negative chunk size
Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
-rw-r--r-- | src/retr.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + { + ret = -1; + break; + } + if (remaining_chunk_size == 0) { ret = 0; |