Commit 0ddc6789 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used 

The internal function that's used to detect known file extensions for
the default Content-Type got the the wrong pointer passed in when
CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
strlen() would be used which could lead to an out-of-bounds read (and
thus segfault). In most cases it would only lead to it not finding or
using the correct default content-type.

It also showed that test 554 and test 587 were testing for the
previous/wrong behavior and now they're updated as well.

Bug: http://curl.haxx.se/bug/view.cgi?id=1262
Reported-by: Konstantin Isakov
parent 51f0b798

lib/formdata.c

+7 −5
Original line number Diff line number Diff line
@@ -178,7 +178,7 @@ static const char * ContentTypeForFilename (const char *filename, 
   * extensions and pick the first we match!

   */

  struct ContentType {

    char extension[6];

    const char *extension;

    const char *type;

  };

  static const struct ContentType ctts[]={
@@ -667,9 +667,11 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost, 
        if(((form->flags & HTTPPOST_FILENAME) ||

            (form->flags & HTTPPOST_BUFFER)) &&

           !form->contenttype ) {

          char *f = form->flags & HTTPPOST_BUFFER?

            form->showfilename : form->value;



          /* our contenttype is missing */

          form->contenttype

            = strdup(ContentTypeForFilename(form->value, prevtype));

          form->contenttype = strdup(ContentTypeForFilename(f, prevtype));

          if(!form->contenttype) {

            return_value = CURL_FORMADD_MEMORY;

            break;

tests/data/test554

+2 −2
Original line number Diff line number Diff line
@@ -45,7 +45,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=-------------------------- 
POST /554 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Accept: */*

Content-Length: 732

Content-Length: 718

Expect: 100-continue

Content-Type: multipart/form-data; boundary=----------------------------
@@ -69,7 +69,7 @@ Content-Disposition: form-data; name="submit" 
send

------------------------------

Content-Disposition: form-data; name="somename"; filename="somefile.txt"

Content-Type: application/octet-stream

Content-Type: text/plain



blah blah

--------------------------------

tests/data/test587

+1 −1
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=-------------------------- 
POST /587 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Accept: */*

Content-Length: 732

Content-Length: 718

Expect: 100-continue

Content-Type: multipart/form-data; boundary=----------------------------