Unverified Commit 13c9a9de authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

imap: if a FETCH response has no size, don't call write callback 

CVE-2017-1000257

Reported-by: Brian Carpenter and 0xd34db347
Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
parent 769647e7

lib/imap.c

+5 −0
Original line number Diff line number Diff line
@@ -1126,6 +1126,11 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, 
        /* The conversion from curl_off_t to size_t is always fine here */

        chunk = (size_t)size;



      if(!chunk) {

        /* no size, we're done with the data */

        state(conn, IMAP_STOP);

        return CURLE_OK;

      }

      result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk);

      if(result)

        return result;