From 2aee31375f38b840f1dd9f4b58c6215f567d66da Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Mon, 12 Jun 2023 20:13:24 +0200
Subject: [PATCH] Fix 'CVE-2018-1000122'

Merge: curl/curl@d52dc4760f6d9ca1937eefa20
---
 r5dev/thirdparty/curl/transfer.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/r5dev/thirdparty/curl/transfer.c b/r5dev/thirdparty/curl/transfer.c
index 1f6d26d7..7c0601fb 100644
--- a/r5dev/thirdparty/curl/transfer.c
+++ b/r5dev/thirdparty/curl/transfer.c
@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
 
     } /* if(!header and data to read) */
 
-    if(conn->handler->readwrite &&
-       (excess > 0 && !conn->bits.stream_was_rewound)) {
+    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
       /* Parse the excess data */
       k->str += nread;
+
+      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+        /* the excess amount was too excessive(!), make sure
+           it doesn't read out of buffer */
+        excess = &k->buf[data->set.buffer_size] - k->str;
+      }
       nread = (ssize_t)excess;
 
       result = conn->handler->readwrite(data, conn, &nread, &readmore);