{“lastseen”:”2025-12-27T14:25:53″,”description”:”## Summary\\nA missing integer overflow check was identified in `lib\/system_win32.c::curl_load_library()`\\nwhen calculating the buffer size for a DLL path. On 32-bit Windows builds, the unchecked\\nsize calculation can wrap around, resulting in an undersized heap allocation followed by\\nunbounded string copies via `_tcscpy()`.\\n\\nWhile the current call sites only pass fixed, trusted strings and no immediate attack\\nvector is identified, the presence of a latent heap corruption primitive places this issue\\nbeyond pure informational hardening and justifies a **Low severity** classification.\\n\\n—\\n\\n## Affected Code\\n**File:** `lib\/system_win32.c` \\n**Function:** `curl_load_library(LPCTSTR filename)`\\n\\n“` c\\nUINT systemdirlen = GetSystemDirectory(NULL, 0);\\nif(systemdirlen) {\\n size_t filenamelen = _tcslen(filename);\\n TCHAR *path = curlx_malloc(sizeof(TCHAR) *\\n (systemdirlen + 1 + filenamelen));\\n if(path \\u0026\\u0026 GetSystemDirectory(path, systemdirlen)) {\\n _tcscpy(path + _tcslen(path), TEXT(\\”\\\\\\\\\\”));\\n _tcscpy(path + _tcslen(path), filename);\\n }\\n curlx_free(path);\\n}\\n“`\\n\\n—\\n\\n## Technical Details\\n\\n### Integer Overflow Condition\\n- `systemdirlen` is of type `UINT` (32-bit)\\n- `filenamelen` is of type `size_t`\\n- The allocation size is computed as:\\n\\n“`\\nsizeof(TCHAR) * (systemdirlen + 1 + filenamelen)\\n“`\\n\\nOn 32-bit platforms, `size_t` arithmetic wraps on overflow. If `filenamelen` is large,\\nthe multiplication can overflow, resulting in a much smaller allocation than intended.\\n\\n### Memory Safety Impact\\nAfter allocation, `_tcscpy()` is used twice without any bounds checking. If the buffer\\nis undersized due to arithmetic wrap-around, this creates a **reliable heap corruption\\ncondition at the code level**, independent of current reachability.\\n\\n—\\n\\n## Why This Is Low Severity (Not Informational)\\n\\n### 1. Heap Corruption Primitive Exists\\nEven though the current code paths are not attacker-controlled, the function contains\\na complete heap corruption pattern (overflowable size calculation + unbounded copy).\\nThis exceeds a stylistic or theoretical issue.\\n\\n### 2. Violation of libcurl\u2019s Own Defensive Patterns\\nOther parts of the codebase explicitly guard against integer overflows in allocation\\ncalculations (e.g. `vauth\/ntlm.c` using `SIZE_MAX` checks). This inconsistency weakens\\nthe overall security posture and makes future maintenance riskier.\\n\\n### 3. Long-Term and Supply-Chain Risk\\n`curl_load_library()` is a general-purpose internal utility. As libcurl evolves or is\\nembedded by third-party software, future refactoring or reuse could unintentionally\\npass unvalidated input to this function, immediately exposing a heap corruption flaw.\\n\\n### 4. Low-Cost, High-Value Fix\\nThe issue can be resolved with a simple bounds check and without changing runtime\\nbehavior in valid cases. This makes it a practical security fix rather than a\\npurely informational observation.\\n\\n—\\n\\n## Recommended Fix\\n\\nAdd an explicit overflow check before allocation, consistent with existing libcurl\\npractices:\\n\\n“` c\\nif(filenamelen \\u003e (SIZE_MAX \/ sizeof(TCHAR)) – systemdirlen – 1) {\\n return NULL;\\n}\\n\\nTCHAR *path = curlx_malloc(sizeof(TCHAR) *\\n (systemdirlen + 1 + filenamelen));\\n“`\\n\\n—\\n\\n## Severity Assessment\\n- **Severity:** Low\\n- **Type:** Integer overflow leading to potential heap-based buffer overflow\\n- **Current Exploitability:** None identified\\n- **Risk Category:** Latent memory corruption \/ future reachability risk\\n\\n—\\n\\n## References\\n- CWE-190: Integer Overflow or Wraparound\\n- CWE-122: Heap-based Buffer Overflow\\n- CERT C: INT30-C (Ensure that unsigned integer operations do not wrap)\\n- libcurl precedent: overflow checks in `vauth\/ntlm.c`\\n\\n## Impact\\n\\n### Impact\\n\\nAt present, no direct attacker-controlled input reaches this code path, and no\\nimmediate exploitation scenario is identified in the current libcurl codebase.\\n\\nHowever, this implementation contains a complete heap corruption primitive\\n(integer overflow in allocation size calculation followed by unbounded string\\ncopies). If this function were to become reachable through future refactoring,\\nnew features, or third-party reuse, an attacker could potentially achieve:\\n\\n- Heap memory corruption on 32-bit Windows builds\\n- Process crash (denial of service)\\n- Potential arbitrary code execution, depending on allocator behavior and\\n surrounding memory layout\\n\\nBecause libcurl is a widely embedded library, such latent issues increase\\nsoftware supply-chain risk and maintenance fragility. Fixing this proactively\\neliminates a memory corruption condition before it becomes externally reachable.”,”published”:”2025-12-26T13:31:26″,”modified”:”2025-12-27T13:47:27″,”type”:”hackerone”,”title”:”curl: Security hardening: missing integer overflow check in curl_load_library()”,”source”:””,”references”:””,”id”:”H1:3479019″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3479019″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-27T14:25:53″,”description”:”## Summary\\nA missing integer overflow check was identified in `lib\/system_win32.c::curl_load_library()`\\nwhen calculating the buffer size for a DLL path. On 32-bit Windows builds, the unchecked\\nsize calculation…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-32976","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n