24 lines
854 B
Diff
24 lines
854 B
Diff
--- curl-7.13.1/lib/url.c.cve-2005-4077 2005-12-08 13:08:03.000000000 +0100
|
|
+++ curl-7.13.1/lib/url.c 2005-12-08 13:15:56.565790336 +0100
|
|
@@ -2313,12 +2313,18 @@
|
|
if(urllen < LEAST_PATH_ALLOC)
|
|
urllen=LEAST_PATH_ALLOC;
|
|
|
|
- conn->pathbuffer=(char *)malloc(urllen);
|
|
+ /*
|
|
+ * We malloc() the buffers below urllen+2 to make room for to possibilities:
|
|
+ * 1 - an extra terminating zero
|
|
+ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
|
|
+ */
|
|
+
|
|
+ conn->pathbuffer=(char *)malloc(urllen+3);
|
|
if(NULL == conn->pathbuffer)
|
|
return CURLE_OUT_OF_MEMORY; /* really bad error */
|
|
conn->path = conn->pathbuffer;
|
|
|
|
- conn->host.rawalloc=(char *)malloc(urllen);
|
|
+ conn->host.rawalloc=(char *)malloc(urllen+3);
|
|
if(NULL == conn->host.rawalloc)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
conn->host.name = conn->host.rawalloc;
|