From: Viktor Szakats Date: Thu, 18 Sep 2025 16:50:09 +0000 (+0200) Subject: examples: fix two issues found by CodeQL X-Git-Tag: rc-8_17_0-1~350 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f13250edf11312ab8c0425cf39b182a31b53c6f7;p=thirdparty%2Fcurl.git examples: fix two issues found by CodeQL - http2-upload: use `fstat()` to query file length to fix TOCTOU. - ftpuploadresume: fix checking `sscanf()` return value. Follow-up to b4922b1295333dc6679eb1d588ddc2fb6b7fd5b7 #18564 Closes #18605 --- diff --git a/docs/examples/ftpuploadresume.c b/docs/examples/ftpuploadresume.c index b02ad928a6..67495aec68 100644 --- a/docs/examples/ftpuploadresume.c +++ b/docs/examples/ftpuploadresume.c @@ -38,7 +38,7 @@ static size_t getcontentlengthfunc(void *ptr, size_t size, size_t nmemb, long len = 0; r = sscanf(ptr, "Content-Length: %ld\n", &len); - if(r) + if(r == 1) *((long *) stream) = len; return size * nmemb; diff --git a/docs/examples/http2-upload.c b/docs/examples/http2-upload.c index 482889ea18..31f4ed56e1 100644 --- a/docs/examples/http2-upload.c +++ b/docs/examples/http2-upload.c @@ -45,6 +45,9 @@ #ifdef _WIN32 #undef stat #define stat _stat +#undef fstat +#define fstat _fstat +#define fileno _fileno #endif /* curl stuff */ @@ -223,24 +226,27 @@ static int setup(struct input *i, int num, const char *upload) curl_msnprintf(url, 256, "https://localhost:8443/upload-%d", num); - /* get the file size of the local file */ - if(stat(upload, &file_info)) { - fprintf(stderr, "error: could not stat file %s: %s\n", upload, + i->in = fopen(upload, "rb"); + if(!i->in) { + fprintf(stderr, "error: could not open file %s for reading: %s\n", upload, strerror(errno)); fclose(out); return 1; } - uploadsize = file_info.st_size; - - i->in = fopen(upload, "rb"); - if(!i->in) { - fprintf(stderr, "error: could not open file %s for reading: %s\n", upload, +#ifdef UNDER_CE + if(stat(upload, &file_info) != 0) { +#else + if(fstat(fileno(i->in), &file_info) != 0) { +#endif + fprintf(stderr, "error: could not stat file %s: %s\n", upload, strerror(errno)); fclose(out); return 1; } + uploadsize = file_info.st_size; + hnd = i->hnd = curl_easy_init(); /* write to this file */