Segfault when add mime as subpart to itself #1962

Closed
moteus opened this Issue Oct 6, 2017 · 2 comments

Comments

Projects
None yet
2 participants

moteus commented Oct 6, 2017

I did this

curl_mime *mime = curl_mime_init(easy);
curl_mimepart *part = curl_mime_addpart(mime);
CURLcode a1 = curl_mime_subparts(part, mime);
curl_mime_free(mime);

I expected the following

curl_mime_free(mime); should not crash but curl_mime_subparts(part, mime); should returns CURLE_BAD_FUNCTION_ARGUMENT and do nothing.

curl/libcurl version

curl 7.56.0 (i386-pc-win32) libcurl/7.56.0 WinSSL
Release-Date: 2017-10-04
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Largefile SSPI Kerberos SPNEGO NTLM SSL

operating system

Windows 7 x64

Owner

bagder commented Oct 7, 2017

I'm not convinced this is something we have to protect against, but it should be easy to at least prevent this bad use.

bagder added a commit that referenced this issue Oct 7, 2017

mime: prevent curl_mime_subparts() from adding "itself"
Refuse to add its own "ancestor".

Reported-by: Alexey Melnichuk
Fixes #1962
Owner

bagder commented Oct 7, 2017

Let me know what you think of this fix!

@bagder bagder added the crash label Oct 7, 2017

@monnerat monnerat closed this in ebcbed3 Oct 8, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment