diff options
| author |  Saagar Jha | 2023-04-10 01:34:48 -0700 |
|---|---|---|
| committer | Saagar Jha | 2023-04-10 01:34:48 -0700 |
| commit | ea9c030249cb3db7a923c8e546df9897e0a39384 (patch) | |
| tree | fa4bc80525da91bfe9da28704e21a4c9efe1c77d | |
| parent | Avoid reading too much data in xs_data_new (diff) | |
| download | penes-snac2-ea9c030249cb3db7a923c8e546df9897e0a39384.tar.gz penes-snac2-ea9c030249cb3db7a923c8e546df9897e0a39384.tar.xz penes-snac2-ea9c030249cb3db7a923c8e546df9897e0a39384.zip | |
Fix heap overflow from curl-originating buffers
Most of xs.h seems to expect that buffers are rounded up to block size,
so we should preserve that invariant here. (In particular, xs_expand
will avoid calling xs_realloc if the new size fits in the same block,
which means that if we don't pad out the data it will expand out of the
memory we're allocated.)
| -rw-r--r-- | xs_curl.h | 2 |
1 files changed, 1 insertions, 1 deletions
| @@ -55,7 +55,7 @@ static int _data_callback(void *buffer, size_t size, | |||
| 55 | 55 | ||
| 56 | /* open space */ | 56 | /* open space */ |
| 57 | pd->size += sz; | 57 | pd->size += sz; |
| 58 | pd->data = xs_realloc(pd->data, pd->size + 1); | 58 | pd->data = xs_realloc(pd->data, _xs_blk_size(pd->size + 1)); |
| 59 | 59 | ||
| 60 | /* copy data */ | 60 | /* copy data */ |
| 61 | memcpy(pd->data + pd->offset, buffer, sz); | 61 | memcpy(pd->data + pd->offset, buffer, sz); |