From 646c11f5b88c540f935a277434430a542365ccfb Mon Sep 17 00:00:00 2001 From: Mohammed Keyvanzadeh Date: Mon, 4 Mar 2024 16:29:24 +0330 Subject: [PATCH] fix: out-of-bounds read of MIME types Since `i` is the index, it should be less than the size of the vector but the `mimetypes.size() < i` condition does not check for `i` being the same as the size of the vector, which causes an out-of-bounds read in the right operand of the logical OR (`||`) operator which is `mimetypes[i].empty()`. --- src/dpp/httpsclient.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dpp/httpsclient.cpp b/src/dpp/httpsclient.cpp index d6e4bc7302..b18675cd65 100644 --- a/src/dpp/httpsclient.cpp +++ b/src/dpp/httpsclient.cpp @@ -103,7 +103,7 @@ multipart_content https_client::build_multipart(const std::string &json, const s /* Multiple files */ for (size_t i = 0; i < filenames.size(); ++i) { content += part_start + "name=\"files[" + std::to_string(i) + "]\"; filename=\"" + filenames[i] + "\""; - content += "\r\nContent-Type: " + (mimetypes.size() < i || mimetypes[i].empty() ? default_mime_type : mimetypes[i]) + two_cr; + content += "\r\nContent-Type: " + (mimetypes.size() <= i || mimetypes[i].empty() ? default_mime_type : mimetypes[i]) + two_cr; content += contents[i]; content += "\r\n"; }