diff options
| author | Dan Fandrich <dan@coneharvesters.com> | 2017-03-11 10:59:34 +0100 |
|---|---|---|
| committer | Dan Fandrich <dan@coneharvesters.com> | 2017-03-12 08:28:31 +0100 |
| commit | 1890d59905414ab84a35892b2e45833654aa5c13 (patch) | |
| tree | e940c3226a4b39bb72760ac21a3d83b06af7965c /src/tool_writeout.c | |
| parent | d2bcf1e3e247d116dc96bd3ea32056e3f089449c (diff) | |
| download | gnurl-1890d59905414ab84a35892b2e45833654aa5c13.tar.gz gnurl-1890d59905414ab84a35892b2e45833654aa5c13.tar.bz2 gnurl-1890d59905414ab84a35892b2e45833654aa5c13.zip | |
tool_writeout: fixed a buffer read overrun on --write-out
If a % ended the statement, the string's trailing NUL would be skipped
and memory past the end of the buffer would be accessed and potentially
displayed as part of the --write-out output. Added tests 1440 and 1441
to check for this kind of condition.
Reported-by: Brian Carpenter
Diffstat (limited to 'src/tool_writeout.c')
| -rw-r--r-- | src/tool_writeout.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/tool_writeout.c b/src/tool_writeout.c index 2fb77742a..7843182f2 100644 --- a/src/tool_writeout.c +++ b/src/tool_writeout.c @@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) double doubleinfo; while(ptr && *ptr) { - if('%' == *ptr) { + if('%' == *ptr && ptr[1]) { if('%' == ptr[1]) { /* an escaped %-letter */ fputc('%', stream); |