[FFmpeg-devel,2/3] http: avoid out of bound accesses on broken St-Cookie headers

Submitted by wm4 on March 8, 2018, 3:53 a.m.

Details

Message ID 20180308035357.18138-2-nfxjfg@googlemail.com
State Accepted
Commit c0687acbf6094053834af6a20e9d71b455842c8c
Headers show

Commit Message

wm4 March 8, 2018, 3:53 a.m.
It's trivial to craft a HTTP response that will make the code for
skipping trailing whitespace access and possibly overwrite bytes outside
of the memory allocation. Why this can happen is blindingly obvious: it
accesses cstr[strlen(cstr)-1] without checking whether the string is
empty.
---
 libavformat/http.c | 3 +++
 1 file changed, 3 insertions(+)

Patch hide | download patch | download mbox

diff --git a/libavformat/http.c b/libavformat/http.c
index d7a72e7129..59f90ac603 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -750,6 +750,9 @@  static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
 {
     char *param, *next_param, *cstr, *back;
 
+    if (!set_cookie[0])
+        return 0;
+
     if (!(cstr = av_strdup(set_cookie)))
         return AVERROR(EINVAL);