Mailing Lists

curl-tracker Archives

[curl:bugs] #612 Stack overwrite under 64-bit Windows

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 14 Apr 2015 08:33:39 +0000

1. please use the issue tracker on github or post to the mailing list.

2. please clarify how this bug occurs for you, we have fixes in place for this so how come you get hurt like this?

3. which libcurl version are you using and how are you building it?

---
** [bugs:#612] Stack overwrite under 64-bit Windows**
**Status:** closed-accepted
**Labels:** libcurl 
**Created:** Mon Nov 13, 2006 01:33 AM UTC by Anonymous
**Last Updated:** Tue Apr 14, 2015 06:13 AM UTC
**Owner:** Daniel Stenberg
PROBLEM
If compiled for Windows x64 \(and possibly other 64-bit
platforms\), the function Curl\_httpchunk\_read\(\) in
http\_chunks.c causes a stack overwrite in its caller.
This applies to libcurl 7.16.0 \(and probably earlier
versions\).
CAUSE
This is caused by this line: http\_chunks.c\(111\):
size\_t \*wrote = \(size\_t \*\)wrotep;
The wrotep argument is of type \(ssize\_t \*\). This cast
tacitly assumes that sizeof\(size\_t\) == sizeof\(ssize\_t\).
In config-win32.h 'ssize\_t' defaults to 'int'. This
works on 32-bit Windows platforms, but on 64-bit
platforms 'size\_t' is widened to 64 bits \(unsigned
\_\_int64\) and writing through \*wrote writes 64 bits,
whereas wrotep only addresses 32 bits \(namely, the
'int' that 'ssize\_t' defaults to\). In other words,
sizeof\(size\_t\) > sizeof\(ssize\_t\) in that case.
RESOLUTION
In config\_win32.h, change the lines:
/\* Define to 'int' if ssize\_t is not an available
'typedefed' type \*/
\#if \(defined\(\_\_WATCOMC\_\_\) && \(\_\_WATCOMC\_\_ >= 1240\)\) ||
defined\(\_\_POCC\_\_\)
\#else
\#define ssize\_t int
\#endif
...to:
/\* Define to 'long' or '\_\_int64' if ssize\_t is not an
available 'typedefed' type \*/
\#if \(defined\(\_\_WATCOMC\_\_\) && \(\_\_WATCOMC\_\_ >= 1240\)\) ||
defined\(\_\_POCC\_\_\)
\#elif defined\(\_WIN64\)
\#define ssize\_t \_\_int64
\#else
\#define ssize\_t long
\#endif
Best wishes,
Ron <support_at_tarma.com>
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2015-04-14

This message: [ Message body ]
Next message: Daniel Stenberg: "[curl:bugs] #1213 Wrong STARTTRANSFER timer for POST requests getting response code 100"
Previous message: Tigzy: "[curl:bugs] #612 Stack overwrite under 64-bit Windows"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.