tool_cb_hdr: add an additional parsing check

- Don't dereference the past-the-end element when parsing the server's Content-disposition header. As 'p' is advanced it can point to the past-the-end element and prior to this change 'p' could be dereferenced in that case. Technically the past-the-end element is not out of bounds because dynbuf (which manages the header line) automatically adds a null terminator to every buffer and that is not included in the buffer length passed to the header callback. Closes https://github.com/curl/curl/pull/12320
2025-03-25 15:50:32 +08:00 · 2023-11-14 01:19:14 -05:00 · 2023-11-14 01:19:14 -05:00 · efbbbf4f7a
commit efbbbf4f7a
parent 50bf253357
1 changed files with 6 additions and 3 deletions
--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
@ -150,16 +150,19 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
      char *filename;
      size_t len;

-      while(*p && (p < end) && !ISALPHA(*p))
+      while((p < end) && *p && !ISALPHA(*p))
        p++;
      if(p > end - 9)
        break;

      if(memcmp(p, "filename=", 9)) {
        /* no match, find next parameter */
-        while((p < end) && (*p != ';'))
+        while((p < end) && *p && (*p != ';'))
          p++;
-        continue;
+        if((p < end) && *p)
+          continue;
+        else
+          break;
      }
      p += 9;