From: Jay Satiro <raysatiro@yahoo.com>
Date: Tue, 14 Nov 2023 06:19:14 +0000 (-0500)
Subject: tool_cb_hdr: add an additional parsing check
X-Git-Tag: curl-8_5_0~101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efbbbf4f7a92cc1b6bd5d86b0da567e7c71d0d04;p=thirdparty%2Fcurl.git

tool_cb_hdr: add an additional parsing check

- Don't dereference the past-the-end element when parsing the server's
  Content-disposition header.

As 'p' is advanced it can point to the past-the-end element and prior
to this change 'p' could be dereferenced in that case.

Technically the past-the-end element is not out of bounds because dynbuf
(which manages the header line) automatically adds a null terminator to
every buffer and that is not included in the buffer length passed to
the header callback.

Closes https://github.com/curl/curl/pull/12320
---

diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
index df44f7aa73..a310e39846 100644
--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
@@ -150,16 +150,19 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
       char *filename;
       size_t len;
 
-      while(*p && (p < end) && !ISALPHA(*p))
+      while((p < end) && *p && !ISALPHA(*p))
         p++;
       if(p > end - 9)
         break;
 
       if(memcmp(p, "filename=", 9)) {
         /* no match, find next parameter */
-        while((p < end) && (*p != ';'))
+        while((p < end) && *p && (*p != ';'))
           p++;
-        continue;
+        if((p < end) && *p)
+          continue;
+        else
+          break;
       }
       p += 9;