From f27b8dba73295cb5296a50f2c19c0739b502eb94 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 24 Nov 2023 09:46:32 +0100 Subject: [PATCH] fopen: allocate the dir after fopen Move the allocation of the directory name down to after the fopen() call to allow that shortcut code path to avoid a superfluous malloc+free cycle. Follow-up to 73b65e94f35311 Closes #12398 CVE: CVE-2023-46219 Upstream-Status: Backport [https://github.com/curl/curl/commit/f27b8dba73295cb529] Signed-off-by: Archana Polampalli --- lib/fopen.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/lib/fopen.c b/lib/fopen.c index 1670e32..b663f8b 100644 --- a/lib/fopen.c +++ b/lib/fopen.c @@ -98,18 +98,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, char *tempstore = NULL; struct_stat sb; int fd = -1; - char *dir; + char *dir = NULL; *tempname = NULL; - dir = dirslash(filename); - if(!dir) - goto fail; - *fh = fopen(filename, FOPEN_WRITETEXT); if(!*fh) goto fail; if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){ - free(dir); return CURLE_OK; } fclose(*fh); @@ -119,9 +114,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, if(result) goto fail; - /* The temp file name should not end up too long for the target file - system */ - tempstore = aprintf("%s%s.tmp", dir, randbuf); + dir = dirslash(filename); + if(dir) { + /* The temp file name should not end up too long for the target file + system */ + tempstore = aprintf("%s%s.tmp", dir, randbuf); + free(dir); + } if(!tempstore) { result = CURLE_OUT_OF_MEMORY; goto fail; @@ -148,7 +147,6 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, if(!*fh) goto fail; - free(dir); *tempname = tempstore; return CURLE_OK; @@ -161,7 +159,6 @@ fail: free(tempstore); *tempname = NULL; - free(dir); return result; } -- 2.40.0