From c9332fa5e84f24da300b42b1a931ade929d3e27d Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 1 Aug 2017 17:17:06 +0200
Subject: [PATCH] file: output the correct buffer to the user

Regression brought by 7c312f84ea930d8 (April 2017)

CVE: CVE-2017-1000099

Bug: https://curl.haxx.se/docs/adv_20170809C.html

Credit to OSS-Fuzz for the discovery

Upstream-Status: Backport
https://github.com/curl/curl/commit/c9332fa5e84f24da300b42b1a931ade929d3e27d

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 lib/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/file.c b/lib/file.c
index bd426eac2..666cbe75b 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -499,11 +499,11 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
              Curl_month[tm->tm_mon],
              tm->tm_year + 1900,
              tm->tm_hour,
              tm->tm_min,
              tm->tm_sec);
-    result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0);
+    result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
     if(!result)
       /* set the file size to make it available post transfer */
       Curl_pgrsSetDownloadSize(data, expected_size);
     return result;
   }
-- 
2.13.3