cURL / Mailing Lists / curl-users / Single Mail


Bug in libCurl

From: Marcus Webster <>
Date: Thu, 8 Nov 2001 14:50:11 -0000

OS: Windows 2000
Compiler: MSVC++ 6 sp4
libCurl: 7.9.1
Under certain circumstances is is possible to induce
AddFormData in formatdata.c to read beyond the end of a
buffer by one character.
When posting a CURFORM_PTRCONTENTS defined form field
that also has the field length specified using
CURLFORM_CONTENTSLENGTH the memcpy on line 926 of
formdata.c mistakenly copies an extra byte from the end
of the buffer, because it assumes that the data being
sent is a typical c string, the length of which is
determined by strlen. The validity of the assignment on
line 928 is also questionable.
I have hacked an alternative AddFormData together, see
P.S. I tried to submit this at the SourceForge site but it wouldn't let me submit the form

Received on 2001-11-08