cURL / Mailing Lists / curl-users / Single Mail

curl-users

Bug in libCurl

From: Marcus Webster <marcus.webster_at_phocis.com>
Date: Thu, 8 Nov 2001 14:50:11 -0000

OS: Windows 2000
Compiler: MSVC++ 6 sp4
libCurl: 7.9.1
 
Under certain circumstances is is possible to induce
AddFormData in formatdata.c to read beyond the end of a
buffer by one character.
 
When posting a CURFORM_PTRCONTENTS defined form field
that also has the field length specified using
CURLFORM_CONTENTSLENGTH the memcpy on line 926 of
formdata.c mistakenly copies an extra byte from the end
of the buffer, because it assumes that the data being
sent is a typical c string, the length of which is
determined by strlen. The validity of the assignment on
line 928 is also questionable.
 
I have hacked an alternative AddFormData together, see
attached.
 
P.S. I tried to submit this at the SourceForge site but it wouldn't let me submit the form

Received on 2001-11-08