Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
aprintf: detect wrap-around when growing allocation
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.

CVE-2016-8618

Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
  • Loading branch information
bagder committed Oct 31, 2016
1 parent ee4f766 commit 8732ec4
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions lib/mprintf.c
Expand Up @@ -1036,16 +1036,19 @@ static int alloc_addbyter(int output, FILE *data)
infop->len =0;
}
else if(infop->len+1 >= infop->alloc) {
char *newptr;
char *newptr = NULL;
size_t newsize = infop->alloc*2;

newptr = realloc(infop->buffer, infop->alloc*2);
/* detect wrap-around or other overflow problems */
if(newsize > infop->alloc)
newptr = realloc(infop->buffer, newsize);

if(!newptr) {
infop->fail = 1;
return -1; /* fail */
}
infop->buffer = newptr;
infop->alloc *= 2;
infop->alloc = newsize;
}

infop->buffer[ infop->len ] = outc;
Expand Down

0 comments on commit 8732ec4

Please sign in to comment.