diff options
author | nicolas.dufresne@gmail.com <nicolas.dufresne@gmail.com@c587cffe-e639-0410-9787-d7902ae8ed56> | 2012-10-10 16:14:27 +0000 |
---|---|---|
committer | nicolas.dufresne@gmail.com <nicolas.dufresne@gmail.com@c587cffe-e639-0410-9787-d7902ae8ed56> | 2012-10-10 16:14:27 +0000 |
commit | da6abc27330b160d5b7a4c6e455bbb349a7049db (patch) | |
tree | a7826045ff4ebc34c777ba9b78526d556c366eaf | |
parent | bbfab384761c6582c3622a16c22ba47c43748902 (diff) | |
download | libproxy-da6abc27330b160d5b7a4c6e455bbb349a7049db.tar.gz |
Fix buffer overflow downloading large pac file
This fixes CVE CVE-2012-4504
git-svn-id: http://libproxy.googlecode.com/svn/trunk@853 c587cffe-e639-0410-9787-d7902ae8ed56
-rw-r--r-- | libproxy/url.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libproxy/url.cpp b/libproxy/url.cpp index d00adfd..dcebcde 100644 --- a/libproxy/url.cpp +++ b/libproxy/url.cpp @@ -474,9 +474,10 @@ char* url::get_pac() { // Add this chunk to our content length, // ensuring that we aren't over our max size content_length += chunk_length; - if (content_length >= PAC_MAX_SIZE) break; } + if (content_length >= PAC_MAX_SIZE) break; + while (recvd != content_length) { int r = recv(sock, buffer + recvd, content_length - recvd, 0); if (r < 0) break; |