ffmpeg | branch: master | wm4 <nfx...@googlemail.com> | Thu Mar 8 04:47:40 2018 +0100| [c0687acbf6094053834af6a20e9d71b455842c8c] | committer: wm4
http: avoid out of bound accesses on broken Set-Cookie headers It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty. > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c0687acbf6094053834af6a20e9d71b455842c8c --- libavformat/http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index d7a72e7129..59f90ac603 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict) { char *param, *next_param, *cstr, *back; + if (!set_cookie[0]) + return 0; + if (!(cstr = av_strdup(set_cookie))) return AVERROR(EINVAL); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
