提交 03a57308 编写于 作者: D Daniel Stenberg

- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a

  chunked-encoding trailer.

  http://curl.haxx.se/bug/view.cgi?id=2958474
上级 507d5843
......@@ -6,6 +6,12 @@
Changelog
Daniel Stenberg (26 Feb 2010)
- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
chunked-encoding trailer.
http://curl.haxx.se/bug/view.cgi?id=2958474
Daniel Fandrich (25 Feb 2010)
- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
......
......@@ -20,6 +20,7 @@ This release includes the following bugfixes:
o SMTP: now waits for 250 after the DATA transfer
o SMTP: use angle brackets in RCPT TO
o curl --trace-time not using local time
o off-by-one in the chunked encoding trailer parser
This release includes the following known bugs:
......@@ -28,6 +29,7 @@ This release includes the following known bugs:
This release would not have looked like this without help, code, reports and
advice from friends like these:
Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager
Steven M. Schweda, Yang Tse, Jack Zhang, Tom Donovan, Martin Hager,
Daniel Fandrich, Patrick Monnerat, Pat Ray
Thanks! (and sorry if I forgot to mention someone)
......@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
......@@ -306,14 +306,17 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
/* conn->trailer is assumed to be freed in url.c on a
connection basis */
if(conn->trlPos >= conn->trlMax) {
/* in this logic we always allocate one byte more than trlMax
contains, just because CHUNK_TRAILER_POSTCR will append two bytes
so we need to make sure we have room for an extra byte */
char *ptr;
if(conn->trlMax) {
conn->trlMax *= 2;
ptr = realloc(conn->trailer,conn->trlMax);
ptr = realloc(conn->trailer, conn->trlMax + 1);
}
else {
conn->trlMax=128;
ptr = malloc(conn->trlMax);
ptr = malloc(conn->trlMax + 1);
}
if(!ptr)
return CHUNKE_OUT_OF_MEMORY;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册