Commit 738b0ba0 authored by Jay Satiro's avatar Jay Satiro
Browse files

formdata: Check if length is too large for memory 

- If the size of the length type (curl_off_t) is greater than the size
of the size_t type then check before allocating memory to make sure the
value of length will fit in a size_t without overflow. If it doesn't
then return CURLE_BAD_FUNCTION_ARGUMENT.

Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
Reported-by: Steve Holme
parent a62000ec

lib/formdata.c

+11 −4
Original line number Diff line number Diff line
@@ -830,19 +830,26 @@ static CURLcode AddFormData(struct FormData **formp, 
    return CURLE_OUT_OF_MEMORY;

  newform->next = NULL;



  if(length < 0 || (size && *size < 0))

    return CURLE_BAD_FUNCTION_ARGUMENT;



  if(type <= FORM_CONTENT) {

    /* we make it easier for plain strings: */

    if(!length)

      length = strlen((char *)line);

#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T)

    else if(length >= (curl_off_t)(size_t)-1)

      return CURLE_BAD_FUNCTION_ARGUMENT;

#endif



    newform->line = malloc(length+1);

    newform->line = malloc((size_t)length+1);

    if(!newform->line) {

      free(newform);

      return CURLE_OUT_OF_MEMORY;

    }

    memcpy(newform->line, line, length);

    newform->length = length;

    newform->line[length]=0; /* zero terminate for easier debugging */

    memcpy(newform->line, line, (size_t)length);

    newform->length = (size_t)length;

    newform->line[(size_t)length]=0; /* zero terminate for easier debugging */

  }

  else

    /* For callbacks and files we don't have any actual data so we just keep a