You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Peng Li at Baidu X-Lab found an integer overflow in the function tool_progress_cb of src/tool_cb_prg.c, the error message is "tool_cb_prg.c:122:29: runtime error: signed integer overflow: 828 + 9223372036854775807 cannot be represented in type 'long'". Since the overflowed variable total is used in the consequent conditionals, I think it is a critical bug.
You could compile curl with undefined behavior sanitizer activated and apply "curl-ubsan -q -K id_005898" to reproduce the bug, the OS is ubuntu 16.04.2 LTS, curl's version is curl 7.61.1 (x86_64-pc-linux-gnu) libcurl/7.61.1. If you need any assistance, please let me know.
Thanks
Peng
int tool_progress_cb(void clientp,
curl_off_t dltotal, curl_off_t dlnow,
curl_off_t ultotal, curl_off_t ulnow)
{
/ The original progress-bar source code was written for curl by Lars Aas,
and this new edition inherits some of his concepts. */
Hi There
Peng Li at Baidu X-Lab found an integer overflow in the function tool_progress_cb of src/tool_cb_prg.c, the error message is "tool_cb_prg.c:122:29: runtime error: signed integer overflow: 828 + 9223372036854775807 cannot be represented in type 'long'". Since the overflowed variable total is used in the consequent conditionals, I think it is a critical bug.
You could compile curl with undefined behavior sanitizer activated and apply "curl-ubsan -q -K id_005898" to reproduce the bug, the OS is ubuntu 16.04.2 LTS, curl's version is curl 7.61.1 (x86_64-pc-linux-gnu) libcurl/7.61.1. If you need any assistance, please let me know.
Thanks
Peng
int tool_progress_cb(void clientp,
curl_off_t dltotal, curl_off_t dlnow,
curl_off_t ultotal, curl_off_t ulnow)
{
/ The original progress-bar source code was written for curl by Lars Aas,
and this new edition inherits some of his concepts. */
struct timeval now = tvnow();
struct ProgressData *bar = (struct ProgressData *)clientp;
curl_off_t total;
curl_off_t point;
/* expected transfer size */
total = dltotal + ultotal + bar->initial_size;
...
}
id_005898.txt
The text was updated successfully, but these errors were encountered: