[FFmpeg-cvslog] http: avoid out of bound accesses on broken Set-Cookie headers
wm4
git at videolan.org
Sun Mar 18 13:42:48 EET 2018
ffmpeg | branch: master | wm4 <nfxjfg at googlemail.com> | Thu Mar 8 04:47:40 2018 +0100| [c0687acbf6094053834af6a20e9d71b455842c8c] | committer: wm4
http: avoid out of bound accesses on broken Set-Cookie headers
It's trivial to craft a HTTP response that will make the code for
skipping trailing whitespace access and possibly overwrite bytes outside
of the memory allocation. Why this can happen is blindingly obvious: it
accesses cstr[strlen(cstr)-1] without checking whether the string is
empty.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c0687acbf6094053834af6a20e9d71b455842c8c
---
libavformat/http.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/http.c b/libavformat/http.c
index d7a72e7129..59f90ac603 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
{
char *param, *next_param, *cstr, *back;
+ if (!set_cookie[0])
+ return 0;
+
if (!(cstr = av_strdup(set_cookie)))
return AVERROR(EINVAL);
More information about the ffmpeg-cvslog
mailing list