Unverified Commit d52dc476 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

readwrite: make sure excess reads don't go beyond buffer end 

CVE-2018-1000122
Bug: https://curl.haxx.se/docs/adv_2018-b047.html

Detected by OSS-fuzz
parent ddb879c6

lib/transfer.c

+7 −2
Original line number Diff line number Diff line
@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, 


    } /* if(!header and data to read) */



    if(conn->handler->readwrite &&

       (excess > 0 && !conn->bits.stream_was_rewound)) {

    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {

      /* Parse the excess data */

      k->str += nread;



      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {

        /* the excess amount was too excessive(!), make sure

           it doesn't read out of buffer */

        excess = &k->buf[data->set.buffer_size] - k->str;

      }

      nread = (ssize_t)excess;



      result = conn->handler->readwrite(data, conn, &nread, &readmore);