MacOS (Arm64) crash on curl += 7.76

[richardmarion]

With the addition of the statement of "full-size = (size_t) data->set.max_send_speed" on line 1179-1182 in http.c in commit 24e469f#diff-14c8235d370910f1781de1a00ed1957ec948e84e88fdc52db87bd4eb7c7167ff made for 7.76, MacOS crashes in memcpy on line 1205.

I did this. Built version 7.75 and version 7.76 from sources for arm64 target. Once I took out line 1179-1182 from http.c, I was able to run overnight without memory violation crashes.

I expected the following. I expected both versions to work

curl/libcurl version - 7.75 & 7.76

[curl -V output]

MacOS 11.4

[bagder]

But why does it crash there? Isn't fullsize smaller than http->postsize in that case so that it copies less data than it would otherwise?

[richardmarion]

Hi Daniel, Not sure why assigning fullsize crashes the app. Let me instrument the code and log fullsize. I can also send .crashes if it helps. Rick From: Daniel Stenberg ***@***.***> Reply-To: curl/curl ***@***.***> Date: Monday, June 28, 2021 at 9:14 AM To: curl/curl ***@***.***> Cc: Richard Marion ***@***.***>, Author ***@***.***> Subject: Re: [curl/curl] MacOS (Arm64) crash on curl += 7.76 (#7308) But why does it crash there? Isn't fullsize smaller than http->postsize in that case so that it copies less data than it would otherwise? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcurl%2Fcurl%2Fissues%2F7308%23issuecomment-869818366&data=04%7C01%7Crmarion%40vmware.com%7C9ea71cef87f84bfbc30808d93a4fd917%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637604936892571311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QrQc0nGUQLK9etgkUoH8mv1kGUR9sanOUH4vuZ72GV0%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAL7NMDX7ALXHMGE64SP4GLLTVCNXNANCNFSM47OITPWA&data=04%7C01%7Crmarion%40vmware.com%7C9ea71cef87f84bfbc30808d93a4fd917%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637604936892581259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bva6u4dUMFzwvuS6mWCGNP4vxs25e3Gp0u7Ml0rcbgQ%3D&reserved=0>.

[bagder]

I can also send .crashes if it helps

Nah, I wouldn't know what to do with it.

[jay]

curl/lib/http.c

Lines 1163 to 1170 in 6b951a6

	static size_t readmoredata(char *buffer,
	size_t size,
	size_t nitems,
	void *userp)
	{
	struct Curl_easy *data = (struct Curl_easy *)userp;
	struct HTTP *http = data->req.p.http;
	size_t fullsize = size * nitems;

curl/lib/http.c

Lines 1179 to 1182 in 6b951a6

	if(data->set.max_send_speed &&
	(data->set.max_send_speed < http->postsize))
	/* speed limit */
	fullsize = (size_t)data->set.max_send_speed;

curl/lib/http.c

Line 1205 in 6b951a6

memcpy(buffer, http->postdata, fullsize);

fullsize should not be larger than the passed in fullsize which is the size of buffer. My guess is the max speed that is assigned to fullsize is larger than the passed in fullsize.

diff --git a/lib/http.c b/lib/http.c
index 6d5d8fb..7b44198 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer,
   data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
 
   if(data->set.max_send_speed &&
+     (data->set.max_send_speed < fullsize) &&
      (data->set.max_send_speed < http->postsize))
     /* speed limit */
     fullsize = (size_t)data->set.max_send_speed;

[bagder]

@jay looks correct. Make a PR?

[bagder]

I decided it would be quicker if I just made a PR out of @jay's proposal. See #7315

[jay]

I was working on the commit message at the same time you opened so I force pushed to your branch