http: avoid out of bound accesses on broken Set-Cookie headers

It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty.

http: avoid out of bound accesses on broken Set-Cookie headers
It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty.
c0687acb · wm4 · 39c1d170 · c0687acb
Commit c0687acb authored Mar 08, 2018 by wm4
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

http.c libavformat/http.c +3 -0

No files found.
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
 {
    char *param, *next_param, *cstr, *back;

+    if (!set_cookie[0])
+        return 0;
+
    if (!(cstr = av_strdup(set_cookie)))
        return AVERROR(EINVAL);