From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 8 Mar 2018 10:33:16 +0100 Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz --- lib/transfer.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/lib/transfer.c +++ b/lib/transfer.c @@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu } /* if(!header and data to read) */ - if(conn->handler->readwrite && - (excess > 0 && !conn->bits.stream_was_rewound)) { + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { /* Parse the excess data */ k->str += nread; + + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { + /* the excess amount was too excessive(!), make sure + it doesn't read out of buffer */ + excess = &k->buf[data->set.buffer_size] - k->str; + } nread = (ssize_t)excess; result = conn->handler->readwrite(data, conn, &nread, &readmore);