From 03a57308b91911cdd91060b237715f0c5fe716da Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 26 Feb 2010 22:55:30 +0000 Subject: [PATCH] - Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a chunked-encoding trailer. http://curl.haxx.se/bug/view.cgi?id=2958474 --- CHANGES | 6 ++++++ RELEASE-NOTES | 4 +++- lib/http_chunks.c | 9 ++++++--- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 35ed8848e..4a79a4c46 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,12 @@ Changelog +Daniel Stenberg (26 Feb 2010) +- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a + chunked-encoding trailer. + + http://curl.haxx.se/bug/view.cgi?id=2958474 + Daniel Fandrich (25 Feb 2010) - Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index c33e6a0ce..b6bd52512 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -20,6 +20,7 @@ This release includes the following bugfixes: o SMTP: now waits for 250 after the DATA transfer o SMTP: use angle brackets in RCPT TO o curl --trace-time not using local time + o off-by-one in the chunked encoding trailer parser This release includes the following known bugs: @@ -28,6 +29,7 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager + Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager, + Daniel Fandrich, Patrick Monnerat, Pat Ray Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http_chunks.c b/lib/http_chunks.c index ee35d6603..3649f9ee0 100644 --- a/lib/http_chunks.c +++ b/lib/http_chunks.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -306,14 +306,17 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn, /* conn->trailer is assumed to be freed in url.c on a connection basis */ if(conn->trlPos >= conn->trlMax) { + /* in this logic we always allocate one byte more than trlMax + contains, just because CHUNK_TRAILER_POSTCR will append two bytes + so we need to make sure we have room for an extra byte */ char *ptr; if(conn->trlMax) { conn->trlMax *= 2; - ptr = realloc(conn->trailer,conn->trlMax); + ptr = realloc(conn->trailer, conn->trlMax + 1); } else { conn->trlMax=128; - ptr = malloc(conn->trlMax); + ptr = malloc(conn->trlMax + 1); } if(!ptr) return CHUNKE_OUT_OF_MEMORY;