curl-users
[ curl-Bugs-479592 ] Read beyond buffer boundary
Date: Thu, 08 Nov 2001 06:46:25 -0800
Bugs item #479592, was opened at 2001-11-08 06:46
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=479592&group_id=976
Category: libcurl
Group: crash
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Read beyond buffer boundary
Initial Comment:
Under certain circumstances is is possible to induce
AddFormData in formatdata.c to read beyond the end of a
buffer by one character.
When posting a CURFORM_PTRCONTENTS defined form field
that also has the field length specified using
CURLFORM_CONTENTSLENGTH the memcpy on line 926 of
formdata.c mistakenly copies an extra byte from the end
of the buffer, because it assumes that the data being
sent is a typical c string, the length of which is
determined by strlen. The validity of the assignment on
line 928 is also questionable.
I have hacked an alternative AddFormData together, see
attached.
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=479592&group_id=976
Received on 2001-11-08