From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 9 Jan 2022 16:00:43 +0000 (+0100)
Subject: formdata: avoid size_t => long typecast overflows
X-Git-Tag: curl-7_82_0~213
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8188ca91eb0ac7b0b5c51371fcad857e63969070;p=thirdparty%2Fcurl.git

formdata: avoid size_t => long typecast overflows

Typically a problem for platforms with 32 bit long and 64 bit size_t

Reported-by: Fabian Yamaguchi
Bug: https://hackerone.com/reports/1444539
Closes #8272
---

diff --git a/lib/formdata.c b/lib/formdata.c
index ac7a0009cd..ce11d5b484 100644
--- a/lib/formdata.c
+++ b/lib/formdata.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -77,10 +77,15 @@ AddHttpPost(char *name, size_t namelength,
             struct curl_httppost **last_post)
 {
   struct curl_httppost *post;
+  if(!namelength && name)
+    namelength = strlen(name);
+  if((bufferlength > LONG_MAX) || (namelength > LONG_MAX))
+    /* avoid overflow in typecasts below */
+    return NULL;
   post = calloc(1, sizeof(struct curl_httppost));
   if(post) {
     post->name = name;
-    post->namelength = (long)(name?(namelength?namelength:strlen(name)):0);
+    post->namelength = (long)namelength;
     post->contents = value;
     post->contentlen = contentslength;
     post->buffer = buffer;