Hi,

I am using curl 7.12.1 on windows (compiled with VC7.1).

With debug builds, some of my testcases that are sending cookies with
characters that have the high bit set are causing assertions in the C
runtime.

isspace() has an _ASSERTE((unsigned)(c + 1) <= 256)

And this fires when Curl_cookie_add() is stripping trailing whitespace.

Apparently, VC's isspace() has some table and this assert indicates that
there may be a out of bound access on it. I know that such kinds of
cookies are probably illegal. But I'd still rather have this fixed since
I want my application to be safe from possible strange and/or malicious
responses.

So, what is right solution in this particular case? And what kind of
patch would be accepted upstream? I think we are not really concerned
with locales etc. for this particular case and are only really looking
for the classical ASCII whitespaces, right?

I can shut it up by casting like so

    isspace((int)(unsigned char)what[len-1])

or doing something like

    (what[len-1] > 0) && isspace((int)what[len-1])

Or something else ..... Thoughts?

Harshal
Received on 2004-09-23