package/network/utils/curl/patches/113-CVE-2018-1000122.patch

   1 From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Thu, 8 Mar 2018 10:33:16 +0100
   4 Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
   5
   6 CVE-2018-1000122
   7 Bug: https://curl.haxx.se/docs/adv_2018-b047.html
   8
   9 Detected by OSS-fuzz
  10 ---
  11  lib/transfer.c | 9 +++++++--
  12  1 file changed, 7 insertions(+), 2 deletions(-)
  13
  14 --- a/lib/transfer.c
  15 +++ b/lib/transfer.c
  16 @@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
  17
  18      } /* if(!header and data to read) */
  19
  20 -    if(conn->handler->readwrite &&
  21 -       (excess > 0 && !conn->bits.stream_was_rewound)) {
  22 +    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
  23        /* Parse the excess data */
  24        k->str += nread;
  25 +
  26 +      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
  27 +        /* the excess amount was too excessive(!), make sure
  28 +           it doesn't read out of buffer */
  29 +        excess = &k->buf[data->set.buffer_size] - k->str;
  30 +      }
  31        nread = (ssize_t)excess;
  32
  33        result = conn->handler->readwrite(data, conn, &nread, &readmore);