Commit 8732ec40 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

aprintf: detect wrap-around when growing allocation 

On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.

CVE-2016-8618

Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
parent ee4f7660

lib/mprintf.c

+6 −3
Original line number Diff line number Diff line
@@ -1036,16 +1036,19 @@ static int alloc_addbyter(int output, FILE *data) 
    infop->len =0;

  }

  else if(infop->len+1 >= infop->alloc) {

    char *newptr;

    char *newptr = NULL;

    size_t newsize = infop->alloc*2;



    newptr = realloc(infop->buffer, infop->alloc*2);

    /* detect wrap-around or other overflow problems */

    if(newsize > infop->alloc)

      newptr = realloc(infop->buffer, newsize);



    if(!newptr) {

      infop->fail = 1;

      return -1; /* fail */

    }

    infop->buffer = newptr;

    infop->alloc *= 2;

    infop->alloc = newsize;

  }



  infop->buffer[ infop->len ] = outc;