Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
curl.19331
curl-7.37.0-CVE-2018-1000122.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-7.37.0-CVE-2018-1000122.patch of Package curl.19331
From 55001f89b773228967529b0c6091697779d51671 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 8 Mar 2018 10:33:16 +0100 Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end Triggered by RTSP fuzzing. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6483 Detected by OSS-fuzz --- lib/transfer.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) Index: curl-7.37.0/lib/transfer.c =================================================================== --- curl-7.37.0.orig/lib/transfer.c +++ curl-7.37.0/lib/transfer.c @@ -764,10 +764,14 @@ static CURLcode readwrite_data(struct Se } /* if(! header and data to read ) */ - if(conn->handler->readwrite && - (excess > 0 && !conn->bits.stream_was_rewound)) { + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { /* Parse the excess data */ k->str += nread; + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { + /* the excess amount was too excessive(!), make sure + it doesn't read out of buffer */ + excess = &k->buf[data->set.buffer_size] - k->str; + } nread = (ssize_t)excess; result = conn->handler->readwrite(data, conn, &nread, &readmore);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor