Commit c2a809cd authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

formpost: fix memory leaks in AddFormData error branches 

Reported-by: Dmitry-Me
Fixes #688
parent ae7d6b71

lib/formdata.c

+25 −11
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -825,28 +825,34 @@ static CURLcode AddFormData(struct FormData **formp, 
                            curl_off_t length,

                            curl_off_t *size)

{

  struct FormData *newform = malloc(sizeof(struct FormData));

  struct FormData *newform;

  char *alloc2 = NULL;

  CURLcode result = CURLE_OK;

  if(length < 0 || (size && *size < 0))

    return CURLE_BAD_FUNCTION_ARGUMENT;



  newform = malloc(sizeof(struct FormData));

  if(!newform)

    return CURLE_OUT_OF_MEMORY;

  newform->next = NULL;



  if(length < 0 || (size && *size < 0))

    return CURLE_BAD_FUNCTION_ARGUMENT;



  if(type <= FORM_CONTENT) {

    /* we make it easier for plain strings: */

    if(!length)

      length = strlen((char *)line);

#if (SIZEOF_SIZE_T < CURL_SIZEOF_CURL_OFF_T)

    else if(length >= (curl_off_t)(size_t)-1)

      return CURLE_BAD_FUNCTION_ARGUMENT;

    else if(length >= (curl_off_t)(size_t)-1) {

      result = CURLE_BAD_FUNCTION_ARGUMENT;

      goto error;

    }

#endif



    newform->line = malloc((size_t)length+1);

    if(!newform->line) {

      free(newform);

      return CURLE_OUT_OF_MEMORY;

      result = CURLE_OUT_OF_MEMORY;

      goto error;

    }

    alloc2 = newform->line;

    memcpy(newform->line, line, (size_t)length);

    newform->length = (size_t)length;

    newform->line[(size_t)length]=0; /* zero terminate for easier debugging */
@@ -877,12 +883,20 @@ static CURLcode AddFormData(struct FormData **formp, 
        struct_stat file;

        if(!stat(newform->line, &file) && !S_ISDIR(file.st_mode))

          *size += filesize(newform->line, file);

        else

          return CURLE_BAD_FUNCTION_ARGUMENT;

        else {

          result = CURLE_BAD_FUNCTION_ARGUMENT;

          goto error;

        }

      }

    }

  }

  return CURLE_OK;

  error:

  if(newform)

    free(newform);

  if(alloc2)

    free(alloc2);

  return result;

}



/*