]> git.ipfire.org Git - thirdparty/tvheadend.git/commitdiff
projects / thirdparty / tvheadend.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 465f64c)
http client: fix possible out-of-range data access, fixes #3611
authorJaroslav Kysela <perex@perex.cz>
Thu, 24 Mar 2016 08:03:27 +0000 (09:03 +0100)
committerJaroslav Kysela <perex@perex.cz>
Thu, 24 Mar 2016 08:03:27 +0000 (09:03 +0100)
src/httpc.c patch | blob | blame | history

diff --git a/src/httpc.c b/src/httpc.c
index 701a64855a61a58f3de8d1c0e8cfc9041888bdb2..da91f9a454db750ba52006aa9ed58777fabf6406 100644 (file)
--- a/src/httpc.c
+++ b/src/httpc.c
@@ -901,7 +901,7 @@ static int
 http_client_run0( http_client_t *hc )
 {
   char *buf, *saveptr, *argv[3], *d, *p;
-  int ver, res, delimsize = 4;
+  int ver, res, delimsize;
   ssize_t r;
   size_t len;
 
@@ -929,10 +929,13 @@ http_client_run0( http_client_t *hc )
 
   buf = alloca(hc->hc_io_size);
   if (!hc->hc_in_data && !hc->hc_in_rtp_data && hc->hc_rpos > 3) {
+    hc->hc_rbuf[hc->hc_rpos] = '\0';
     if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
       goto rtsp_data;
-    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL)
+    else if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) != NULL) {
+      delimsize = 4;
       goto header;
+    }
     if ((d = strstr(hc->hc_rbuf, "\n\n")) != NULL) {
       delimsize = 2;
       goto header;
@@ -984,13 +987,14 @@ retry:
   }
   memcpy(hc->hc_rbuf + hc->hc_rpos, buf, r);
   hc->hc_rpos += r;
-  hc->hc_rbuf[hc->hc_rpos] = '\0';
 
 next_header:
   if (hc->hc_rpos < 3)
     return HTTP_CON_RECEIVING;
   if (hc->hc_version == RTSP_VERSION_1_0 && hc->hc_rbuf[0] == '$')
     goto rtsp_data;
+  hc->hc_rbuf[hc->hc_rpos] = '\0';
+  delimsize = 4;
   if ((d = strstr(hc->hc_rbuf, "\r\n\r\n")) == NULL) {
     delimsize = 2;
     if ((d = strstr(hc->hc_rbuf, "\n\n")) == NULL)
Mirror of https://github.com/tvheadend/tvheadend.git