cURL / Mailing Lists / curl-users / Single Mail


[ curl-Bugs-479592 ] Read beyond buffer boundary

From: <>
Date: Thu, 08 Nov 2001 06:46:25 -0800

Bugs item #479592, was opened at 2001-11-08 06:46
You can respond by visiting:

Category: libcurl
Group: crash
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Read beyond buffer boundary

Initial Comment:
Under certain circumstances is is possible to induce
AddFormData in formatdata.c to read beyond the end of a
buffer by one character.

When posting a CURFORM_PTRCONTENTS defined form field
that also has the field length specified using
CURLFORM_CONTENTSLENGTH the memcpy on line 926 of
formdata.c mistakenly copies an extra byte from the end
of the buffer, because it assumes that the data being
sent is a typical c string, the length of which is
determined by strlen. The validity of the assignment on
line 928 is also questionable.

I have hacked an alternative AddFormData together, see


You can respond by visiting:
Received on 2001-11-08