On Wed, 2 Feb 2005, David Byron wrote:

>> ... so with your patch, there's a single-byte buffer overflow.
>
> I don't think there's a buffer overflow by doing this. The actual buffer is
> an array of [BUFSIZE + 1], so there's still room for the NULL terminator.
> Also, in http.c, the call to Curl_read passes BUFSIZE when nread is 0, so I
> think BUFSIZE is OK.

Ah, thanks for correcting me!

> Not that this is a bulletproof test, but I created another document that's
> one byte shorter, and another that's one byte longer and the patched curl
> downloads them both just fine.

While I don't mind removing that -1 from the code, especially since it has no
purpose, I still can't see why that causes an error. It merely decides how
large buffer to use.

Try removing the -1 and define CURL_MAX_WRITE_SIZE to be 16383. In my eyes,
that should suffer from the same problem(s).

-- 
      Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
       Dedicated custom curl help for hire: http://haxx.se/curl.html