{"id":"CURL-CVE-2018-1000301","summary":"RTSP bad headers buffer over-read","details":"curl can be tricked into reading data beyond the end of a heap based buffer\nused to store downloaded content.\n\nWhen servers send RTSP responses back to curl, the data starts out with a set\nof headers. curl parses that data to separate it into a number of headers to\ndeal with those appropriately and to find the end of the headers that signal\nthe start of the \"body\" part.\n\nThe function that splits up the response into headers is called\n`Curl_http_readwrite_headers()` and in situations where it cannot find a single\nheader in the buffer, it might end up leaving a pointer pointing into the\nbuffer instead of to the start of the buffer which then later on may lead to\nan out of buffer read when code assumes that pointer points to a full buffer\nsize worth of memory to use.\n\nThis could potentially lead to information leakage but most likely a\ncrash/denial of service for applications if a server triggers this flaw.","aliases":["CVE-2018-1000301"],"modified":"2026-04-25T20:30:31.547713Z","published":"2018-05-16T08:00:00Z","database_specific":{"CWE":{"id":"CWE-126","desc":"Buffer Over-read"},"www":"https://curl.se/docs/CVE-2018-1000301.html","severity":"Medium","last_affected":"7.59.0","URL":"https://curl.se/docs/CVE-2018-1000301.json","package":"curl","affects":"both"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.20.0"},{"fixed":"7.60.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"bc4582b68a673d3b0f5a2e7d971605de2c8b3730"},{"fixed":"8c7b3737d29ed5c0575bf592063de8a51450812d"}]}],"versions":["7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:30:31Z","source":"https://curl.se/docs/CURL-CVE-2018-1000301.json","vanir_signatures":[{"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/8c7b3737d29ed5c0575bf592063de8a51450812d","id":"CURL-CVE-2018-1000301-21826962","digest":{"length":13923,"function_hash":"37860886073078372341497195057354531055"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/http.c","function":"Curl_http_readwrite_headers"}},{"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/8c7b3737d29ed5c0575bf592063de8a51450812d","id":"CURL-CVE-2018-1000301-f45502dd","digest":{"line_hashes":["60540376985795332104885178944460297627","32121863850034651570678934636920241612","210976118834394436936769943085360174365","12613360968588433500604004387603295497","233511850012068601660191913109716389610","310310701518340729159613488610066335964","163153379115803148264174895663674330793","236333589854267053654038544780176612755"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"lib/http.c"}}]}}],"schema_version":"1.7.5","credits":[{"name":"OSS-Fuzz","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"},{"name":"Max Dymond","type":"OTHER"}]}