From c0687acbf6094053834af6a20e9d71b455842c8c Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 8 Mar 2018 04:47:40 +0100 Subject: [PATCH] http: avoid out of bound accesses on broken Set-Cookie headers It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty. --- libavformat/http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index d7a72e7129..59f90ac603 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict) { char *param, *next_param, *cstr, *back; + if (!set_cookie[0]) + return 0; + if (!(cstr = av_strdup(set_cookie))) return AVERROR(EINVAL);