On Sat, 25 Oct 2003, James Bursa wrote:

> I've found that buffer set by CURLOPT_ERRORBUFFER may be written to one byte
> more than CURL_ERROR_SIZE. The documentation states "The buffer must be at
> least CURL_ERROR_SIZE big", which I interpret as meaning that a buffer of
> size CURL_ERROR_SIZE is acceptable. The overflow occurs when you attempt to
> access a local file with a very long name which doesn't exist.
>
> There are two different places in libcurl which may overflow. If the URL is
> exactly (CURL_ERROR_SIZE - 13) characters long and CURLOPT_VERBOSE is set,
> then Curl_failf() writes a 0 at error_buffer[CURL_ERROR_SIZE] (line 160).
> (The 13 is for "Couldn't open file ".)
>
> If the URL is anything longer then curl_mvsnprintf() writes a 0 at the same
> position (line 994). I think this is different behaviour from usual
> vsnprintf().

Thanks!

It is amazing that this bug has been around for so many years without anyone
ever noticing before.

Well done, James! A fix was committed to CVS a few moments ago.

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/