From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 1 Aug 2017 15:17:06 +0000 (+0200)
Subject: file: output the correct buffer to the user
X-Git-Tag: curl-7_55_0~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9332fa5e84f24da300b42b1a931ade929d3e27d;p=thirdparty%2Fcurl.git

file: output the correct buffer to the user

Regression brought by 7c312f84ea930d8 (April 2017)

CVE-2017-1000099

Bug: https://curl.haxx.se/docs/adv_20170809C.html

Credit to OSS-Fuzz for the discovery
---

diff --git a/lib/file.c b/lib/file.c
index bd426eac2c..666cbe75be 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -501,7 +501,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
              tm->tm_hour,
              tm->tm_min,
              tm->tm_sec);
-    result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0);
+    result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
     if(!result)
       /* set the file size to make it available post transfer */
       Curl_pgrsSetDownloadSize(data, expected_size);