From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 13 Dec 2025 23:13:27 +0000 (+0100)
Subject: schannel: cap the maximum allowed size for loading cert
X-Git-Tag: rc-8_18_0-2~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c8c34c88e6b2f55adea456608da4c6ef005cd25;p=thirdparty%2Fcurl.git

schannel: cap the maximum allowed size for loading cert

To avoid problems with mistakes or abuse, cap the largest allowed
certificate size to load to CURL_MAX_INPUT_LENGTH bytes (8MB).

Closes #19964
---

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index f1b47cb47f..6159d90ab5 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -588,7 +588,7 @@ static CURLcode schannel_acquire_credential_handle(struct Curl_cfilter *cf,
           certsize = (size_t)cert_tell;
         if(continue_reading)
           continue_reading = fseek(fInCert, 0, SEEK_SET) == 0;
-        if(continue_reading)
+        if(continue_reading && (certsize < CURL_MAX_INPUT_LENGTH))
           certdata = curlx_malloc(certsize + 1);
         if((!certdata) ||
            ((int) fread(certdata, certsize, 1, fInCert) != 1))