package/curl/curl-7.13.1-cve-2005-4077.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

--- curl-7.13.1/lib/url.c.cve-2005-4077	2005-12-08 13:08:03.000000000 +0100
+++ curl-7.13.1/lib/url.c	2005-12-08 13:15:56.565790336 +0100
@@ -2313,12 +2313,18 @@
   if(urllen < LEAST_PATH_ALLOC)
     urllen=LEAST_PATH_ALLOC;
 
-  conn->pathbuffer=(char *)malloc(urllen);
+  /*
+   * We malloc() the buffers below urllen+2 to make room for to possibilities:
+   * 1 - an extra terminating zero
+   * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
+   */
+
+  conn->pathbuffer=(char *)malloc(urllen+3);
   if(NULL == conn->pathbuffer)
     return CURLE_OUT_OF_MEMORY; /* really bad error */
   conn->path = conn->pathbuffer;
 
-  conn->host.rawalloc=(char *)malloc(urllen);
+  conn->host.rawalloc=(char *)malloc(urllen+3);
   if(NULL == conn->host.rawalloc)
     return CURLE_OUT_OF_MEMORY;
   conn->host.name = conn->host.rawalloc;