File curl-7.37.0-CVE-2018-1000122.patch of Package curl.12450

From 55001f89b773228967529b0c6091697779d51671 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 8 Mar 2018 10:33:16 +0100
Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end

Triggered by RTSP fuzzing.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6483

Detected by OSS-fuzz
---
 lib/transfer.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Index: curl-7.37.0/lib/transfer.c
===================================================================
--- curl-7.37.0.orig/lib/transfer.c
+++ curl-7.37.0/lib/transfer.c
@@ -764,10 +764,14 @@ static CURLcode readwrite_data(struct Se
 
     } /* if(! header and data to read ) */
 
-    if(conn->handler->readwrite &&
-       (excess > 0 && !conn->bits.stream_was_rewound)) {
+    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
       /* Parse the excess data */
       k->str += nread;
+      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+        /* the excess amount was too excessive(!), make sure
+           it doesn't read out of buffer */
+        excess = &k->buf[data->set.buffer_size] - k->str;
+      }
       nread = (ssize_t)excess;
 
       result = conn->handler->readwrite(data, conn, &nread, &readmore);
openSUSE Build Service is sponsored by