Ok.

---
** [bugs:#612] Stack overwrite under 64-bit Windows**
**Status:** closed-accepted
**Labels:** libcurl 
**Created:** Mon Nov 13, 2006 01:33 AM UTC by Anonymous
**Last Updated:** Wed Apr 15, 2015 03:23 PM UTC
**Owner:** Daniel Stenberg
PROBLEM
If compiled for Windows x64 \(and possibly other 64-bit
platforms\), the function Curl\_httpchunk\_read\(\) in
http\_chunks.c causes a stack overwrite in its caller.
This applies to libcurl 7.16.0 \(and probably earlier
versions\).
CAUSE
This is caused by this line: http\_chunks.c\(111\):
size\_t \*wrote = \(size\_t \*\)wrotep;
The wrotep argument is of type \(ssize\_t \*\). This cast
tacitly assumes that sizeof\(size\_t\) == sizeof\(ssize\_t\).
In config-win32.h 'ssize\_t' defaults to 'int'. This
works on 32-bit Windows platforms, but on 64-bit
platforms 'size\_t' is widened to 64 bits \(unsigned
\_\_int64\) and writing through \*wrote writes 64 bits,
whereas wrotep only addresses 32 bits \(namely, the
'int' that 'ssize\_t' defaults to\). In other words,
sizeof\(size\_t\) > sizeof\(ssize\_t\) in that case.
RESOLUTION
In config\_win32.h, change the lines:
/\* Define to 'int' if ssize\_t is not an available
'typedefed' type \*/
\#if \(defined\(\_\_WATCOMC\_\_\) && \(\_\_WATCOMC\_\_ >= 1240\)\) ||
defined\(\_\_POCC\_\_\)
\#else
\#define ssize\_t int
\#endif
...to:
/\* Define to 'long' or '\_\_int64' if ssize\_t is not an
available 'typedefed' type \*/
\#if \(defined\(\_\_WATCOMC\_\_\) && \(\_\_WATCOMC\_\_ >= 1240\)\) ||
defined\(\_\_POCC\_\_\)
\#elif defined\(\_WIN64\)
\#define ssize\_t \_\_int64
\#else
\#define ssize\_t long
\#endif
Best wishes,
Ron <support_at_tarma.com>
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.