cURL / Mailing Lists / curl-library / Single Mail

curl-library

Memory corruption on WriteMemoryCallback (HEADERFUNCTION/WRITEHEADER)

From: rc <rc_at_datasystem.fr>
Date: Fri, 20 May 2005 18:12:01 +0000

Hi,

The use of HEADERFUNCTION/WRITEHEADER option while ftp uploading involve
memory corruption:

Purify result:

      SBR: Stack array bounds read
      This is occurring while in:
            WriteMemoryCallback [agl_ftplib.c:483]
                 size_t realsize = size * nmemb;
                 struct MemoryStruct *mem = (struct MemoryStruct *)data;
               
            => mem->memory = (char *)myrealloc(mem->memory, mem->size
+ realsize + 1);
                 if (mem->memory) {
                   memcpy(&(mem->memory[mem->size]), ptr, realsize);
                   mem->size += realsize;
            Curl_client_write [sendf.c:357]
            Curl_GetFTPResponse [ftp.c:386]
            ftp_quit [ftp.c:2339]
            Curl_ftp_disconnect [ftp.c:2366]
            Curl_disconnect [url.c:1482]
            ConnectionKillOne [url.c:1712]
            Curl_close [url.c:206]
            XXX_closeConnection [agl_ftplib.c:574]
            main [agl_baedic.c:238]
            _start [crt1.o]
      Reading 4 bytes from 0xffbe9eb4.
      Frame pointer 0xffbe9e88
      Address 0xffbe9eb4 is 44 bytes above stack pointer in
function Curl_close.

Source code:

static size_t WriteMemoryCallback(void *ptr, size_t size, size_t nmemb,
void *data)
{
  register int realsize = size * nmemb;
  struct MemoryStruct *mem = (struct MemoryStruct *)data;

  mem->memory = (char *)realloc(mem->memory, mem->size + realsize + 1);
  if (mem->memory) {
    memcpy(&(mem->memory[mem->size]), ptr, realsize);
    mem->size += realsize;
    mem->memory[mem->size] = 0;
  }
  return realsize;
}

...
f1() {
  ...
 curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, WriteMemoryCallback);
  curl_easy_setopt(curl, CURLOPT_WRITEHEADER, (void *)&chunk);

    res = curl_easy_perform(curl);
    ...
    curl_easy_cleanup(curl);
    curl_global_cleanup();
}

WriteMemory crashes when it is called on close connection by libcurl.
data parameter is wrong.

Any ideas ?

raoul
Received on 2005-05-20