curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds

#include "strequal.h"

#include "curl_memory.h"

#include "sendf.h"

#include "strdup.h"

#define _MPRINTF_REPLACE /* use our functions only */

#include <curl/mprintf.h>

  return contenttype;

}

/***************************************************************************

 *

 * memdup()

 *

 * Copies the 'source' data to a newly allocated buffer buffer (that is

 * returned). Uses buffer_length if not null, else uses strlen to determine

 * the length of the buffer to be copied

 *

 * Returns the new pointer or NULL on failure.

 *

 ***************************************************************************/

static char *memdup(const char *src, size_t buffer_length)

{

  size_t length;

  bool add = FALSE;

  char *buffer;

  if(buffer_length)

    length = buffer_length;

  else if(src) {

    length = strlen(src);

    add = TRUE;

  }

  else

    /* no length and a NULL src pointer! */

    return strdup("");

  buffer = malloc(length+add);

  if(!buffer)

    return NULL; /* fail */

  memcpy(buffer, src, length);

  /* if length unknown do null termination */

  if(add)

    buffer[length] = '\0';

  return buffer;

}

/***************************************************************************

 *

 * FormAdd()

           (form == first_form) ) {

          /* Note that there's small risk that form->name is NULL here if the

             app passed in a bad combo, so we better check for that first. */

          if(form->name)

          if(form->name) {

            /* copy name (without strdup; possibly contains null characters) */

            form->name = memdup(form->name, form->namelength);

            form->name = Curl_memdup(form->name, form->namelength?

                                     form->namelength:

                                     strlen(form->name)+1);

          }

          if(!form->name) {

            return_value = CURL_FORMADD_MEMORY;

            break;

                            HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |

                            HTTPPOST_CALLBACK)) && form->value) {

          /* copy value (without strdup; possibly contains null characters) */

          form->value = memdup(form->value, form->contentslength);

          form->value = Curl_memdup(form->value, form->contentslength?

                                    form->contentslength:

                                    strlen(form->value)+1);

          if(!form->value) {

            return_value = CURL_FORMADD_MEMORY;

            break;

 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms

 * KIND, either express or implied.

 *

 ***************************************************************************/

/*

 * This file is 'mem-include-scan' clean. See test 1132.

 */

#include "curl_setup.h"

#include "strdup.h"

#include "curl_memory.h"

/* The last #include file should be: */

#include "memdebug.h"

#ifndef HAVE_STRDUP

char *curlx_strdup(const char *str)

}

#endif

/***************************************************************************

 *

 * Curl_memdup(source, length)

 *

 * Copies the 'source' data to a newly allocated buffer (that is

 * returned). Copies 'length' bytes.

 *

 * Returns the new pointer or NULL on failure.

 *

 ***************************************************************************/

char *Curl_memdup(const char *src, size_t length)

{

  char *buffer = malloc(length);

  if(!buffer)

    return NULL; /* fail */

  memcpy(buffer, src, length);

  /* if length unknown do null termination */

  return buffer;

}

 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms

#ifndef HAVE_STRDUP

extern char *curlx_strdup(const char *str);

#endif

char *Curl_memdup(const char *src, size_t buffer_length);

#endif /* HEADER_CURL_STRDUP_H */

#include "multihandle.h"

#include "pipeline.h"

#include "dotdot.h"

#include "strdup.h"

#define _MPRINTF_REPLACE /* use our functions only */

#include <curl/mprintf.h>

{

  /* Free all dynamic strings stored in the data->set substructure. */

  enum dupstring i;

  for(i=(enum dupstring)0; i < STRING_LAST; i++)

  for(i=(enum dupstring)0; i < STRING_LAST; i++) {

    Curl_safefree(data->set.str[i]);

  }

  if(data->change.referer_alloc) {

    Curl_safefree(data->change.referer);

  memset(dst->set.str, 0, STRING_LAST * sizeof(char *));

  /* duplicate all strings */

  for(i=(enum dupstring)0; i< STRING_LAST; i++) {

  for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {

    result = setstropt(&dst->set.str[i], src->set.str[i]);

    if(result)

      break;

      return result;

  }

  /* If a failure occurred, freeing has to be performed externally. */

  return result;

  /* duplicate memory areas pointed to */

  i = STRING_COPYPOSTFIELDS;

  if(src->set.postfieldsize && src->set.str[i]) {

    /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */

    dst->set.str[i] = Curl_memdup(src->set.str[i], src->set.postfieldsize);

    if(!dst->set.str[i])

      return CURLE_OUT_OF_MEMORY;

    /* point to the new copy */

    dst->set.postfields = dst->set.str[i];

  }

  return CURLE_OK;

}

/*

  STRING_KRB_LEVEL,       /* krb security level */

  STRING_NETRC_FILE,      /* if not NULL, use this instead of trying to find

                             $HOME/.netrc */

  STRING_COPYPOSTFIELDS,  /* if POST, set the fields' values here */

  STRING_PROXY,           /* proxy to use */

  STRING_SET_RANGE,       /* range, if used */

  STRING_SET_REFERER,     /* custom string for the HTTP referer field */

  STRING_BEARER,          /* <bearer>, if used */

  /* -- end of strings -- */

  /* -- end of zero-terminated strings -- */

  STRING_LASTZEROTERMINATED,

  /* -- below this are pointers to binary data that cannot be strdup'ed.

     Each such pointer must be added manually to Curl_dupset() --- */

  STRING_COPYPOSTFIELDS,  /* if POST, set the fields' values here */

  STRING_LAST /* not used, just an end-of-list marker */

};