Fix heap overflow in HTTP protocol handling (CVE-2017-13090)v1.19.2

* src/retr.c (fd_read_body): Stop processing on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
author: Tim Rühsen <tim.ruehsen@gmx.de> 2017-10-20 15:15:47 +0200
committer: Tim Rühsen <tim.ruehsen@gmx.de> 2017-10-26 17:29:38 +0200
commit: ba6b44f6745b14dce414761a8e4b35d31b176bba (patch)
tree: bb0990c7e93e155d076e575b4c2cb362ad6281fb
parent: d892291fb8ace4c3b734ea5125770989c215df3f (diff)
download: wget-ba6b44f6745b14dce414761a8e4b35d31b176bba.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/retr.c b/src/retr.c
index c1bc600e..6555ed4f 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
               remaining_chunk_size = strtol (line, &endl, 16);
               xfree (line);
 
+              if (remaining_chunk_size < 0)
+                {
+                  ret = -1;
+                  break;
+                }
+
               if (remaining_chunk_size == 0)
                 {
                   ret = 0;
author	Tim Rühsen <tim.ruehsen@gmx.de>	2017-10-20 15:15:47 +0200
committer	Tim Rühsen <tim.ruehsen@gmx.de>	2017-10-26 17:29:38 +0200
commit	ba6b44f6745b14dce414761a8e4b35d31b176bba (patch)
tree	bb0990c7e93e155d076e575b4c2cb362ad6281fb
parent	d892291fb8ace4c3b734ea5125770989c215df3f (diff)
download	wget-ba6b44f6745b14dce414761a8e4b35d31b176bba.tar.gz