From b7baa784515c9b36d98c8a626f90ba52e7201dc2 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 31 May 2022 14:03:09 +0200 Subject: [PATCH] headers_push: error out if a folded header has no previous header As that would indicate an illegal header. The fuzzer reached the assert in unfold_value() proving that this case can happen. Follow-up to c9b60f005358a364 Closes #8939 --- lib/headers.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/headers.c b/lib/headers.c index 1cedf3d202..c21b9481e3 100644 --- a/lib/headers.c +++ b/lib/headers.c @@ -293,9 +293,14 @@ CURLcode Curl_headers_push(struct Curl_easy *data, const char *header, } hlen = end - header + 1; - if((header[0] == ' ') || (header[0] == '\t')) - /* line folding, append value to the previous header's value */ - return unfold_value(data, header, hlen); + if((header[0] == ' ') || (header[0] == '\t')) { + if(data->state.prevhead) + /* line folding, append value to the previous header's value */ + return unfold_value(data, header, hlen); + else + /* can't unfold without a previous header */ + return CURLE_BAD_FUNCTION_ARGUMENT; + } hs = calloc(1, sizeof(*hs) + hlen); if(!hs)