cURL / Mailing Lists / curl-users / Single Mail

curl-users

[ curl-Bugs-479592 ] Read beyond buffer boundary

From: <noreply_at_sourceforge.net>
Date: Thu, 08 Nov 2001 06:46:25 -0800

Bugs item #479592, was opened at 2001-11-08 06:46
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=479592&group_id=976

Category: libcurl
Group: crash
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Read beyond buffer boundary

Initial Comment:
Under certain circumstances is is possible to induce
AddFormData in formatdata.c to read beyond the end of a
buffer by one character.

When posting a CURFORM_PTRCONTENTS defined form field
that also has the field length specified using
CURLFORM_CONTENTSLENGTH the memcpy on line 926 of
formdata.c mistakenly copies an extra byte from the end
of the buffer, because it assumes that the data being
sent is a typical c string, the length of which is
determined by strlen. The validity of the assignment on
line 928 is also questionable.

I have hacked an alternative AddFormData together, see
attached.

----------------------------------------------------------------------

You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100976&aid=479592&group_id=976
Received on 2001-11-08

This message: [ Message body ]
Next message: Marcus Webster: "Bug in libCurl"
Previous message: noreply_at_sourceforge.net: "[ curl-Bugs-479537 ] Wrong and undocumented error codes"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]